TechSpot

Iexplore running in background, website redirection

By DonD
Nov 8, 2011
  1. Hello,

    I really need your help! I have a virus or malware of some sort on my system that I cannot get rid of and was wondering if you could help me remove it? Or direct me to a proper forum for some help?

    I was on Southwest Airlines web site (www.southwest.com) last Friday when my system slowed down and I noticed Java loading in the system tray, which I don't recall seeing when on this site in the past. Then internet explorer was shutdown. I then noticed that the Task Manager buttons were disabled so I could not start the task manager. Every time I reboot my computer now there is an iexplore.exe process running in the background. If I kill it it will restart after a minute or two. In addition, when I try to go to different web sites, internet explorer will randomly redirect me to other sites. It will also pop up ads occassionally. This iexplore.exe background process will normally continue to eat up memory until it finally causes it to crash.

    At one point after rebooting, only a few of my services would start? After doing some investigating I realized that the SVCHOST.EXE program was deleted. I restored it from another computer and then they started fine. This hasn't happened again.

    I occassionally notice that winword.exe is also running in the background after rebooting, even though Word and Outlook are not running. However, this happens much less frequently than iexplore.exe showing up in the background.

    Not sure if this is of any help or not, but a file was created in c:\windows\system32 when I noticed this stuff happening called d3d9caps.dat.

    If I boot under Safe Mode, iexplore does not show up in the background. However, if I boot up inder Safe Mode with Networking, then it does launch in the background. So this eliminates a lot of the various programs that get launched at boot time from being the culprit since it happens when booting into Safe Mode with Networking.

    The program Process Explorer shows that iexplore.exe (when running in the background) is being launched by Explorer.exe. If I kill the Explorer.exe process, then iexplore.exe does not get launched in the background, which confirms it is being launched by Explorer.exe. One thing I noticed is that after killing the Explorer.exe process, it does not get restarted automatically, which I seem to remember it doing in the past? The malware may be doing this to prevent it from being killed by simply restarting Explorer.exe?

    I am running Windows XP Pro (Service Pack 3)
    For anti-virus software I am running Symantec Endpoint Protection Version 11.


    Here is a list of the services that are running under Safe Mode with Networking and not under Safe Mode:

    Computer Browser
    DHCP Client
    DNS Client
    Messenger
    Net Logon
    Network Connections
    Server
    TCP/IP Net Bios Helper
    Terminal Services
    Windows Firewall/Internet Connection Sharing (ICS)
    Wireless Zero Configuration
    Workstation

    I disabled all of these services a few at a time and the only one that made a difference was the DHCP Client.

    If I disable the DHCP Client service then iexplore does not get launched in the background. As soon as I enable DHCP Client then it gets launched. Not sure if my DHCP Client service got hijacked or if the malware does not try to do anything if an internet connection cannot be established?

    I installed Malwarebytes and ran the various scans.
    Here is the Malwarebytes Quick Scan log:

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8092

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    11/5/2011 1:51:12 PM
    mbam-log-2011-11-05 (13-51-12).txt

    Scan type: Quick scan
    Objects scanned: 301177
    Time elapsed: 14 minute(s), 9 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 5
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cl.exe (Security.Hijack) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Temp\mgkpyeoriquvgj.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


    Here is the Malwarebytes Flash Scan log:

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8092

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    11/5/2011 2:04:26 PM
    mbam-log-2011-11-05 (14-04-26).txt

    Scan type: Flash scan
    Objects scanned: 246983
    Time elapsed: 2 minute(s), 1 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    Here is the Malwarebytes Full Scan log:

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8092

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    11/5/2011 3:50:42 PM
    mbam-log-2011-11-05 (15-50-42).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 419013
    Time elapsed: 1 hour(s), 41 minute(s), 3 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\system volume information\_restore{b5900582-1901-4f7e-bafe-8feb08721d95}\RP2722\A0477191.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


    Here is the latest Malwarebytes Protection log:

    01:47:35 don MESSAGE Scheduled update executed successfully
    01:47:36 don MESSAGE IP Protection stopped
    01:48:48 don MESSAGE Database updated successfully
    01:48:52 don MESSAGE IP Protection started successfully
    07:56:52 don IP-BLOCK 64.120.141.165 (Type: outgoing)
    07:56:55 don IP-BLOCK 64.120.141.165 (Type: outgoing)
    07:57:01 don IP-BLOCK 64.120.141.165 (Type: outgoing)
    07:58:49 don IP-BLOCK 64.120.141.165 (Type: outgoing)
    07:58:52 don IP-BLOCK 64.120.141.165 (Type: outgoing)
    07:58:58 don IP-BLOCK 64.120.141.165 (Type: outgoing)
    08:00:48 don IP-BLOCK 64.120.141.165 (Type: outgoing)
    08:00:51 don IP-BLOCK 64.120.141.165 (Type: outgoing)
    08:00:57 don IP-BLOCK 64.120.141.165 (Type: outgoing)
    08:10:14 don IP-BLOCK 86.55.210.83 (Type: outgoing)
    08:10:17 don IP-BLOCK 86.55.210.83 (Type: outgoing)
    08:10:23 don IP-BLOCK 86.55.210.83 (Type: outgoing)
    08:10:34 don IP-BLOCK 86.55.210.83 (Type: outgoing)
    08:10:37 don IP-BLOCK 86.55.210.83 (Type: outgoing)
    08:10:43 don IP-BLOCK 86.55.210.83 (Type: outgoing)
    08:10:55 don IP-BLOCK 86.55.210.83 (Type: outgoing)
    08:10:58 don IP-BLOCK 86.55.210.83 (Type: outgoing)
    08:11:04 don IP-BLOCK 86.55.210.83 (Type: outgoing)
    08:12:12 don IP-BLOCK 208.73.210.29 (Type: outgoing)
    08:12:15 don IP-BLOCK 208.73.210.29 (Type: outgoing)
    08:12:21 don IP-BLOCK 208.73.210.29 (Type: outgoing)
    08:12:32 don IP-BLOCK 208.73.210.29 (Type: outgoing)
    08:12:35 don IP-BLOCK 208.73.210.29 (Type: outgoing)
    08:12:41 don IP-BLOCK 208.73.210.29 (Type: outgoing)
    08:34:24 don MESSAGE Protection started successfully
    08:34:43 don MESSAGE IP Protection started successfully
    08:48:22 don IP-BLOCK 206.161.121.100 (Type: outgoing)
    08:48:25 don IP-BLOCK 206.161.121.100 (Type: outgoing)
    09:08:05 don MESSAGE Protection started successfully
    09:08:14 don MESSAGE IP Protection started successfully
    09:20:06 don IP-BLOCK 64.120.141.165 (Type: outgoing)
    09:20:09 don IP-BLOCK 64.120.141.165 (Type: outgoing)
    09:20:15 don IP-BLOCK 64.120.141.165 (Type: outgoing)
    09:22:05 don IP-BLOCK 64.120.141.165 (Type: outgoing)
    09:22:08 don IP-BLOCK 64.120.141.165 (Type: outgoing)
    09:22:14 don IP-BLOCK 64.120.141.165 (Type: outgoing)
    09:24:05 don IP-BLOCK 64.120.141.165 (Type: outgoing)
    09:24:08 don IP-BLOCK 64.120.141.165 (Type: outgoing)
    09:24:14 don IP-BLOCK 64.120.141.165 (Type: outgoing)
    09:33:34 don MESSAGE Protection started successfully
    09:33:38 don MESSAGE IP Protection started successfully

    After having Malwarebytes correct the errors it found, I still have the same problem with iexplore.exe getting launched in the background.


    Here is the HijackThis log file:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 2:14:47 PM, on 11/7/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Unable to get Internet Explorer version!
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
    C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
    C:\Program Files\Expertcity\GoToMyPC\g2pre.exe
    C:\WINDOWS\SYSTEM32\k9nt.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\WINDOWS\System32\ups.exe
    C:\WINDOWS\System32\vssvc.exe
    C:\WINDOWS\System32\msdtc.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Temp\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://companyweb
    O15 - Trusted Zone: http://www.powerball.com
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {02E09B2E-2A03-4572-9291-69900C068564} (LCSim Control) - http://www.learnitcorp.com/cabs/lcsim.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
    O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://srv1/ConnectComputer/nshelp.dll
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/20efd968ff9dfa15b416/netzip/RdxIE601.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250176051031
    O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX.cab?9,0,712,0
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc3.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
    O16 - DPF: {A6B13EE4-A974-11D2-8DB7-00C04FB6E8F6} - http://www.splashspot.com/ssviewer2/2.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = datalink.lan
    O17 - HKLM\Software\..\Telephony: DomainName = datalink.lan
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = datalink.lan
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: K9 Time Synchronization (K9) - H.C. Mingham-Smith - C:\WINDOWS\SYSTEM32\k9nt.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: Symantec Auto-upgrade Agent (Smcinst) - Unknown owner - C:\Program Files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe (file missing)
    O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

    --
    End of file - 11597 bytes

    I tried to run GMER.exe and got the following error:
    LoadDriver("C:\Temp\pxtdapow.sys") error 0xC000010E: Cannot create a stable subkey under a volatile parent key.

    After clicking OK, the program came up and seemed to be OK.

    Here is the GMER.EXE log file:

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-11-08 10:30:02
    Windows 5.1.2600 Service Pack 3
    Running: gmer.exe; Driver: C:\TEMP\pxtdapow.sys


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Classes\CLSID\{5C082286-DD56-6B96-110FABAC317C22E3}\{17077DA0-F2D9-EF48-DBC13F521337D931}\{A783887F-564D-BBBA-662193019693FEBC}
    Reg HKLM\SOFTWARE\Classes\CLSID\{5C082286-DD56-6B96-110FABAC317C22E3}\{17077DA0-F2D9-EF48-DBC13F521337D931}\{A783887F-564D-BBBA-662193019693FEBC}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{D19C1E37-C88F-6D4D-695F1151D26FA9B0}\{82ADB184-4273-F4A9-8B3869F4D9D9F30C}\{3C71EBCF-572C-11DA-DA6A44EB5C52EFBA}
    Reg HKLM\SOFTWARE\Classes\CLSID\{D19C1E37-C88F-6D4D-695F1151D26FA9B0}\{82ADB184-4273-F4A9-8B3869F4D9D9F30C}\{3C71EBCF-572C-11DA-DA6A44EB5C52EFBA}@NRDFOBLVNAUE2QOGEQXAH1Y2DD1 0x01 0x00 0x01 0x00 ...

    ---- EOF - GMER 1.0.15 ----


    I have been unable to find the hook this virus/malware has into Explorer. Please let me know if there is anything else I can provide for you to help me eliminate this virus or malware! Thank you so much for any help you could provide me.

    Don
     
  2. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ======================================================================

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    ...means I still need DDS logs.
     
  3. DonD

    DonD TS Rookie Topic Starter Posts: 21

    dds.scr hung

    Hi,

    Thank you so much for responding to my post.

    I tried running the ddr.scr script and it keeps locking up the system. It probably ran about 5 minutes before locking up. I let it continue to try and run for about 15 minutes before giving up and turning the power off. I disabled Symantec Endpoint Protection as well as Malwarebytes Anti-Malware before running it. I also disabled the DHCP Client service since that prevents iexplore.exe from getting launched in the background and doing it's nasty things.

    The command window shows pound signs as follows:

    Post the contents of the logfile to the forum where it was requested

    ##################################################

    The only other window I had up was task manager so I could see what was going on. Task manager shows MBR.DAT process as running when it seems to hang up the system. The keyboard is unable to do anything outside of the Task Manager window, including CTRL-ALT-DEL and the Window key. The clock in the system tray even quit getting updated. Task manager showed the CPU Usage at 0%, but the task manager window would occassionally update itself and flicker. Please let me know how I should proceed?

    Thanks,

    Don
     
  4. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Download TDSSKiller and save it to your desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  5. DonD

    DonD TS Rookie Topic Starter Posts: 21

    TDSSKiller.exe did nothing!

    Hi,

    I downloaded TDSSKiller.exe and tried to run it and nothing happened, other than Windows giving me the Open File Security Warning asking if I wanted to run the file? I clicked on OK and it did nothing.

    So, I tried to run it from a command prompt and had Task Manager up so I could see if it did anything. The command prompt just came back to another prompt, and Task Manager showed the number of processes as never changing, like it never started?

    What should I try next?

    Thanks,

    Don
     
  6. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Try Safe Mode.
    If still nothing....

    Download the FixTDSS.exe

    Save the file to your Windows desktop.
    Close all running programs.
    If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
    Double-click the FixTDSS.exe file to start the removal tool.
    Click Start to begin the process, and then allow the tool to run.
    Restart the computer when prompted by the tool.
    After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
    If you are running Windows XP, re-enable System Restore.
     
  7. DonD

    DonD TS Rookie Topic Starter Posts: 21

    Getting BSOD 0x7B now

    Hi,

    I tried running the TDSSKiller.exe under safe mode, but got the same results. I also tried downloading it from another "good" system and copying it to the infected system and renamed it to don.com, as well as don.exe, and still had the same results of it not doing anything.

    I then downloaded FixTDSS.exe, disabled System Restore, closed all running programs and ran it. It then asked me to restart my system and when it boots now I get a BSOD stop error 0x7B, both in Normal mode and in Safe mode!

    So now my system is unbootable.

    What now???

    Thanks,

    Don
     
  8. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    1. Insert your Windows XP CD into your CD and assure that your CD-ROM drive is capable of booting the CD.
    2. Once you have booted from CD, do NOT select the option that states: Press F2 to initiate the Automated System Recovery (ASR) tool.
    You’re going to proceed until you see the following screen, at which point you will press the “R” key to enter the recovery console:

    [​IMG]

    3. After you have selected the appropriate option from step two, you will be prompted to select a valid Windows installation (typically number 1).
    Select the installation number, and hit Enter.
    If there is an administrator password for the administrator account, enter it and hit Enter (if asked for the password, and you don't know it, you're out of luck).
    You will be greeted with this screen, which indicates a recovery console at the ready:

    [​IMG]

    4. Type with an Enter after each line:

    fixmbr

    (If it asks you if you are sure then say "Y".)

    fixboot

    exit

    5. Reboot computer.

    ====================================================================

    If you don't have Windows CD...
    Download Windows Recovery Console: http://www.thecomputerparamedic.com/files/rc.iso
    Download, and install free Imgburn: http://www.imgburn.com/index.php?act=download
    Using Imgburn, burn rc.iso to a CD.
    Boot to the CD...let it finish loading.
    When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
     
  9. DonD

    DonD TS Rookie Topic Starter Posts: 21

    Hi,

    I booted from my Windows XP CD and for some reason it does not recognize my Administrator password? I normally do not log on under the Adminstrator account, I normally log on under my own account which has Administrator rights though.

    I did have another copy of Windows installed under c:\windowst (Temproray Windows) that I needed to resolve a problem several years ago. So, when the CD boot asked me which version I wanted to boot under I told it to use this temporary version (Option 2). This copy accepted my Administrator password without a problem. So I ran FIXMBR and FIXBOOT under this temporary version. Apparently that wasn't a good idea. I noticed that when FIXBOOT ran it said it was working with drive F:, which I thought was strange, but I went ahead anyway. When it boots now I get an error saying NTLDR is missing.

    Is there a way I can boot from the CD and select my main Windows installation (Option 1) and tell it to use my normal User ID and password (which has Admin rights)? When I was asked for the Administrator password I tried entering <User ID>\<Password>, but that didn't work.

    Can I try to boot from the hard drive and use the Last known good configuration?

    Sorry, I hope I didn't mess things up too bad!

    Don
     
  10. Broni

    Broni Malware Annihilator Posts: 52,898   +344

  11. DonD

    DonD TS Rookie Topic Starter Posts: 21

    Hi,

    I was unable to try the "Last known..." option because the boot process never gets that far. I get the "NTLDR is Missing" error first. So, I booted from the Windows XP CD and logged in under the temporary installation of Windows that I had installed a long time ago, since my password still works with that version. I copied NTLDR and NTDETECT.COM from the CD from the i386 folder to c:\. Drive c:\ already had them there, but they were different sizes. I then tried to boot from the hard drive and I still get the "NTLDR is Missing" error? I then rebooted and pressed the F12 key to load up the boot options menu. I selected the option to boot the Utility Partition and it came up fine. This is a partition that came preloaded from Dell.

    I then booted from the CD again into the recovery console and the boot.ini file contains:

    [boot loader]
    timeout=5
    default=multi(0)disk(0)rdisk(0)partition(2)
    [operating systems]
    multi(0)disk(0)rdisk(0)partition(2)\Windows="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
    multi(0)disk(0)rdisk(0)partition(2)\Windowst="Microsoft Windows XP Professional (Temporary)" /fastdetect

    The output from the recovery console "map" command is:

    ? FAT16 62MB \Device\Harddisk0\Partition1
    C: NTFS 76222MB \Device\Harddisk0\Partition2
    E: 8MB \Device\Harddisk0\Partition3
    A: \Device\Floppy0
    D: \Device\CdRom0


    The FAT16 partition1 came preloaded on my system by Dell as a Utility partition.
    I have no idea what partition3 is (Drive E:)? I've never noticed it before. Not sure if the virus created it or what? If I do a "Dir e:" I get the error "An error occured during directory enumeration."

    I was able to run FIXBOOT C: without a problem.

    I was able to run FIXMBR C: without a problem. However, if I try to run "FIXMBR \Device\Harddisk0\Partition2" I get a warning about it detecting an invalid or non-standard partition table signature? I would think it would be the same device?

    I also checked the BIOS and it seems to be detecting the hard disk properly.

    My question is, since NTLDR is present on c:\, it seems that it must be trying to boot from another partition? Do you think that might be the problem? If so, what change do I need to make to get it to boot from partition2? What would you suggest I try next? I know you suggested I try the repair installation option. But I just want to be sure that it will not replace my registry with a new one. I don't want to have to re-install all of my programs in order to re-build the entries in the registry.

    Thanks,

    Don
     
  12. DonD

    DonD TS Rookie Topic Starter Posts: 21

    Just a quick note regarding the unknown Partition3 I mentioned in the last post. I ran DISKPART from the recovery console and its description for partition 3 is "Inactive (OS/2 Boot man". It gets truncated after that. I have no idea what this is or how it got there. Not that it necessarily matters, but just thought I'd mention it.

    Don
     
  13. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Remove this line from boot.ini:
    multi(0)disk(0)rdisk(0)partition(2)\Windowst="Microsoft Windows XP Professional (Temporary)" /fastdetect
    This way your other installation won't interfere in booting process.
     
  14. DonD

    DonD TS Rookie Topic Starter Posts: 21

    Hi,

    I rebuilt the boot.ini file using the recovery console "bootcfg /rebuild" option. I rebooted and still got the "NTLDR is Missing" error. I then created a new boot.ini file on another system and only included my temporary Windows installation (since that's the only one that has a working Adminstrator account password) and copied it over from a floppy drive. I rebooted and still got the "NTLDR is Missing" error.

    A couple of things I noticed that seem odd are:

    1. When I run fixboot with no options, it says the target partition is E:? That's the weird partition that I don't know where it came from or what it is? That makes me think that it's trying to boot from that partition, rather than my C: Drive partition.

    2. When I run fixmbr \device\harddisk0, I get the warning about it detecting an invalid or non-standard partition table signature. If I let it run and try to run it again, I get the same error? Like it can't create a good one itself? However, if I run "fixmbr c:" it runs without any warnings or errors. Again, this kind of makes me think it's looking at partition3, rather than partition2.

    How can I tell which partition it's looking at, or how can I get it to look at partition2? I'm thinking of using diskpart in recovery console to delete partition3. What would you suggest?

    Thanks,

    Don
     
  15. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    "invalid or non-standard partition table signature" may indicate problem with the drive itself.

    Run hard drive diagnostics: http://www.tacktech.com/display.cfm?ttid=287 (or http://www.bleepingcomputer.com/forums/index.php?showtopic=28744&hl=hard+drive+diagnostic)
    Make sure, you select tool, which is appropriate for the brand of your hard drive.
    Depending on the program, it'll create bootable floppy, or bootable CD.
    If downloaded file is of .iso type, use ImgBurn: http://www.imgburn.com/ to burn .iso file to a CD (select "Write image file to disc" option), to make the CD bootable.
    For Toshiba hard drives, see here: http://sdd.toshiba.com/main.aspx?Pa...rivesUSandCanada/SoftwareUtilities#diagnostic

    Note : If you do not know how to set your computer to boot from CD follow the steps HERE
     
  16. DonD

    DonD TS Rookie Topic Starter Posts: 21

    Hi,

    I ran some hard drive diagnostics and it ran clean. I don't think that's the problem. I think the problem is that the active partition is set to partition3, rather than partition2. That's why the fixboot command is defaulting to my Drive E:.

    I'm having a problem finding out how to check/change the active partition when you can't boot Windows. Can you tell me how to do that? The "diskpart" command in the recovery console does not permit you to change the active partition.

    Thanks,

    Don
     
  17. Broni

    Broni Malware Annihilator Posts: 52,898   +344

  18. DonD

    DonD TS Rookie Topic Starter Posts: 21

    I have GREAT news! I was able to fix the "NTLDR is Missing" error, as well as the BSOD 7B error!

    I created a Windows XP boot floppy disk and a boot.ini file to match my system and boot into my normal Windows partition. I then told it to use the Last Known Good Configuration and it booted fine!. I then used Disk Manager to check my partitions, and as I suspected that new unknown partition had been changed to be the active partition, rather than my drive C partition. So I changed my drive C back to be the active partition and I deleted the unknown partition. I then logged off and tried logging in under the Administrator account to see if it knew my actual password, and it did! For whatever reason the repair console didn't recognize it?

    When I logged in the first time I got an error from TDSSKiller saying "Tool failure. Tool must be first run without -postboot". So I booted into Safe Mode and ran TDSSKiller. It told me to reboot, which I did. When I logged on the TDSSKiller scan began. It ended and said "Backdoor.Tidserv has not been found on your computer".

    Since I got Windows to reboot, I have not noticed iexplore processes running in the background. So, I'm not sure if the virus is still lurking out there or not???

    So, what should I do next (if anything)?

    Thanks,

    Don
     
  19. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Great news!

    Your main culprit was infected MBR, so you should be fine there.

    I suggest we run some further checks.

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.
     
  20. DonD

    DonD TS Rookie Topic Starter Posts: 21

    Hi,

    Here's the logs you requested. The only thing I've noticed as odd, since fixing the MBR problem, is when I launch Outlook a winword.exe process is started in the background. I don't recall seeing that happen until I create/open an E-mail normally. I have not noticed iexplore.exe launching in the background anymore.

    Here are the results of the Malwarebytes Quick Scan:

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8138

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    11/11/2011 8:46:43 AM
    mbam-log-2011-11-11 (08-46-43).txt

    Scan type: Quick scan
    Objects scanned: 298208
    Time elapsed: 15 minute(s), 55 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    Here are the results from GMER:

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-11-11 10:39:06
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e Maxtor_6Y080M0 rev.YAR51HW0
    Running: gmer.exe; Driver: C:\TEMP\pxtdapow.sys

    ---- System - GMER 1.0.15 ----

    SSDT 86E88538 ZwAlertResumeThread
    SSDT 86E88A78 ZwAlertThread
    SSDT 86CCDC10 ZwAllocateVirtualMemory
    SSDT 86F469A0 ZwConnectPort
    SSDT 86F4A4A0 ZwCreateMutant
    SSDT 86E834C8 ZwCreateThread
    SSDT 86CEFD98 ZwFreeVirtualMemory
    SSDT 86E87D28 ZwImpersonateAnonymousToken
    SSDT 86E88460 ZwImpersonateThread
    SSDT 86E84548 ZwMapViewOfSection
    SSDT 86E87C50 ZwOpenEvent
    SSDT 872E3560 ZwOpenProcessToken
    SSDT 872C85B8 ZwOpenThreadToken
    SSDT 86E21C68 ZwResumeThread
    SSDT 872D80C8 ZwSetContextThread
    SSDT 872C6930 ZwSetInformationProcess
    SSDT 872C2A30 ZwSetInformationThread
    SSDT 86E817C0 ZwSuspendProcess
    SSDT 86E8AD50 ZwSuspendThread
    SSDT 872DF5C8 ZwTerminateProcess
    SSDT 86E89920 ZwTerminateThread
    SSDT 86EB00B8 ZwUnmapViewOfSection
    SSDT 86D5FD98 ZwWriteVirtualMemory

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!_abnormal_termination + 7C 804DB6E8 8 Bytes [38, 85, E8, 86, 78, 8A, E8, ...]
    .text ntoskrnl.exe!_abnormal_termination + 440 804DBAAC 8 Bytes [C0, 17, E8, 86, 50, AD, E8, ...]
    init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF6A9EF80]

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs nlem32nt.sys
    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
    Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)
    Device BA79FD20

    AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice nlem32nt.sys

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Classes\CLSID\{5C082286-DD56-6B96-110FABAC317C22E3}\{17077DA0-F2D9-EF48-DBC13F521337D931}\{A783887F-564D-BBBA-662193019693FEBC}
    Reg HKLM\SOFTWARE\Classes\CLSID\{5C082286-DD56-6B96-110FABAC317C22E3}\{17077DA0-F2D9-EF48-DBC13F521337D931}\{A783887F-564D-BBBA-662193019693FEBC}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{D19C1E37-C88F-6D4D-695F1151D26FA9B0}\{82ADB184-4273-F4A9-8B3869F4D9D9F30C}\{3C71EBCF-572C-11DA-DA6A44EB5C52EFBA}
    Reg HKLM\SOFTWARE\Classes\CLSID\{D19C1E37-C88F-6D4D-695F1151D26FA9B0}\{82ADB184-4273-F4A9-8B3869F4D9D9F30C}\{3C71EBCF-572C-11DA-DA6A44EB5C52EFBA}@NRDFOBLVNAUE2QOGEQXAH1Y2DD1 0x01 0x00 0x01 0x00 ...

    ---- EOF - GMER 1.0.15 ----

    Here are the DDS.SCR DDS.TXT results:
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by don at 10:41:13 on 2011-11-11
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.294 [GMT -6:00]
    .
    AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    svchost.exe
    svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
    C:\WINDOWS\SYSTEM32\k9nt.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Expertcity\GoToMyPC\g2pre.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
    C:\WINDOWS\System32\ups.exe
    C:\WINDOWS\System32\vssvc.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\WINDOWS\System32\msdtc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\cidaemon.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uSearch Page = hxxp://www.google.com
    uDefault_Page_URL = hxxp://smbusiness.dellnet.com/
    uSearch Bar = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [QD FastAndSafe] c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe
    mRun: [POINTER] "c:\program files\microsoft hardware\mouse\point32.exe"
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    uPolicies-explorer: <NO NAME> =
    uPolicies-explorer: NoSMMyDocs = 01000000
    uPolicies-explorer: NoSMMyPictures = 01000000
    uPolicies-explorer: NoNetworkConnections = 01000000
    uPolicies-explorer: NoStrCmpLogical = 01000000
    mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
    IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    Trusted Zone: microsoft.com\office
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
    DPF: {02E09B2E-2A03-4572-9291-69900C068564} - hxxp://www.learnitcorp.com/cabs/lcsim.cab
    DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} - hxxp://www.pestscan.com/scanner/axscanner.cab
    DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} - hxxps://support.microsoft.com/OAS/ActiveX/odc.cab
    DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
    DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} - hxxp://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab
    DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
    DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://srv1/ConnectComputer/nshelp.dll
    DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
    DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - hxxps://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://207.188.7.150/20efd968ff9dfa15b416/netzip/RdxIE601.cab
    DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} - hxxp://office.microsoft.com/productupdates/content/opuc.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250176051031
    DPF: {72770C4F-967D-4517-982B-92D6B9015649} - hxxp://photos.msn.com/resources/neutral/controls/DigWebX.cab?9,0,712,0
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - hxxp://toolbar.google.com/data/GoogleActivate.cab
    DPF: {94B82441-A413-4E43-8422-D49930E69764} - hxxps://rtc3.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
    DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37602.2634837963
    DPF: {A6B13EE4-A974-11D2-8DB7-00C04FB6E8F6} - hxxp://www.splashspot.com/ssviewer2/2.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Notify: GoToMyPC - c:\program files\expertcity\gotomypc\G2WinLogon.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    LSA: Notification Packages = :\windows\system32\srrstr.dll cecli scecli scecli
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 nlem32nt;nlem32nt;c:\windows\system32\drivers\nlem32nt.sys [2011-10-20 70024]
    R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2002-4-17 4064]
    R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
    R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
    R2 K9;K9 Time Synchronization;c:\windows\system32\k9nt.exe [2002-3-28 57856]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-5 366152]
    R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-9-17 2477304]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-10 106104]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-5 22216]
    R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20111110.035\NAVENG.SYS [2011-11-11 86136]
    R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20111110.035\NAVEX15.SYS [2011-11-11 1576312]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-5 136176]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-5 136176]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2004-10-29 32000]
    S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe --> c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 vsdatant;vsdatant;a --> a [?]
    .
    =============== File Associations ===============
    .
    .txt=UltraEdit.txt
    .
    =============== Created Last 30 ================
    .
    2011-11-11 14:01:09 709968 ----a-w- c:\windows\isRS-000.tmp
    2011-11-05 18:26:56 -------- d-----w- c:\documents and settings\don devoto\application data\Malwarebytes
    2011-11-05 18:26:46 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-11-05 18:26:42 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-05 18:26:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-11-05 17:50:50 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-11-05 17:50:50 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-11-04 21:33:49 -------- d-----w- C:\tmp
    2011-11-04 16:47:33 -------- d-----w- c:\windows\tmp
    2011-11-01 15:43:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
    2011-11-01 15:43:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
    2011-11-01 15:43:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
    2011-11-01 15:43:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
    2011-11-01 15:43:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
    2011-11-01 15:43:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
    2011-11-01 15:43:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
    2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-10-20 14:16:15 70024 ----a-w- c:\windows\system32\drivers\nlem32nt.sys
    2011-10-20 14:16:15 55160 ----a-w- c:\windows\system32\nlem32nt.dll
    2011-10-20 14:16:15 39288 ----a-w- c:\windows\system32\secbuild.dll
    2011-10-20 14:16:15 30072 ----a-w- c:\windows\system32\sectools.dll
    2011-10-14 13:24:27 -------- d-----w- c:\program files\iPod
    2011-10-14 13:24:00 -------- d-----w- c:\program files\iTunes
    2011-10-14 13:16:43 -------- d-----w- c:\program files\Bonjour
    .
    ==================== Find3M ====================
    .
    2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-31 04:05:04 83816 ----a-w- c:\windows\system32\dns-sd.exe
    2011-08-31 04:05:04 73064 ----a-w- c:\windows\system32\dnssd.dll
    2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 23:48:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
    2011-08-22 10:39:52 52080 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\GoToPrintProcessor.dll
    2011-08-22 10:39:46 113008 ----a-w- c:\windows\system32\gotomon.dll
    2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    .
    ============= FINISH: 10:41:43.81 ===============

    Here are the DDS.SCR ATTACH.TXT results:
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 2/18/2002 5:38:56 PM
    System Uptime: 11/11/2011 8:22:37 AM (2 hours ago)
    .
    Motherboard: Dell Inc. | | 0J3492
    Processor: Intel(R) Pentium(R) 4 CPU 3.40GHz | Microprocessor | 3391/800mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 74 GiB total, 37.871 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: WAN Miniport (PPTP)
    Device ID: ROOT\MS_PPTPMINIPORT\0000
    Manufacturer: Microsoft
    Name: WAN Miniport (PPTP)
    PNP Device ID: ROOT\MS_PPTPMINIPORT\0000
    Service: PptpMiniport
    .
    ==== System Restore Points ===================
    .
    RP1: 11/10/2011 4:59:01 PM - System Checkpoint
    RP2: 11/11/2011 8:16:59 AM - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    Acrobat.com
    Adobe Acrobat 8 Standard
    Adobe Acrobat 8.1.3 Standard
    Adobe AIR
    Adobe Download Manager 2.0 (Remove Only)
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player Plugin
    Adobe Image Viewer Plugin 4.0
    Adobe PageMaker 6.5
    Adobe Photoshop Album
    Adobe Reader 9.4.6
    Adobe Type Manager 4.0
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATI - Software Uninstall Utility
    ATI Control Panel
    ATI Display Driver
    Attendance Rx
    Backup4all 3
    Bonjour
    Calculator Powertoy for Windows XP
    Canon i850
    Cloudmark Desktop for Microsoft Outlook
    Compatibility Pack for the 2007 Office system
    Data Access Objects (DAO) 3.5
    DellTouch
    Easy CD Creator 5 Basic
    frameworks Canada
    Google Earth Plug-in
    Google Update Helper
    GoToMeeting 4.0.0.320
    GoToMyPC
    Help and Support Customization
    HighMAT Extension to Microsoft Windows XP CD Writing Wizard
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Format SDK (KB902344)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB954708)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Intel Application Accelerator
    Internet Explorer Q903235
    Ipswitch WS_FTP Professional 2006
    iTunes
    J2SE Runtime Environment 5.0 Update 6
    Java(TM) 6 Update 15
    LiveUpdate 3.3 (Symantec Corporation)
    LSA IRIS
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2572067)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Access 2000 SR-1 Runtime
    Microsoft Application Error Reporting
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Data Access Components KB870669
    Microsoft FrontPage 2000
    Microsoft IntelliPoint 4.0
    Microsoft Interactive Training
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2000 Premium
    Microsoft Office XP Media Content
    Microsoft Office XP Small Business
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft Visual C++ 5.0
    Microsoft Visual FoxPro 5.0
    Microsoft Windows Journal Viewer
    MobileMe Control Panel
    MSVCRT
    MSXML 6 Service Pack 2 (KB973686)
    NetLib Encryptionizer DE Distribution
    NovaXchange for Windows NT
    NuMega BoundsChecker 6.5 Visual C++ Edition
    NVIDIA Drivers
    OGA Notifier 2.0.0048.0
    QuarkXPress
    QuickTime
    QuickTime for Windows (32-bit)
    RedTitan EscapeE
    Safari
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Segoe UI
    Shadow Copy Client
    Shockwave
    SoundMAX
    StuffIt Standard
    Symantec Endpoint Protection
    Tweak UI
    UltraEdit 16.10
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft Windows (KB971513)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows Internet Explorer 8 (KB971930)
    Update for Windows Internet Explorer 8 (KB972636)
    Update for Windows Internet Explorer 8 (KB973874)
    Update for Windows Internet Explorer 8 (KB975364)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2492386)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB943729)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage v1.3.0254.0
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Upload Tool
    Windows Media Format 11 runtime
    Windows Media Format SDK Hotfix - KB891122
    Windows Media Player 11
    Windows Resource Kit Tools
    Windows Resource Kit Tools - SubInAcl.exe
    Windows XP Service Pack 3
    WinPcap 3.1 beta4
    WinSCP 4.3.4
    WinZip 11.1
    WordPerfect Office 11
    .
    ==== Event Viewer Messages From Past Week ========
    .
    11/8/2011 7:53:06 AM, error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 1 time(s).
    11/8/2011 3:17:27 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the COM+ System Application service, but this action failed with the following error: An instance of the service is already running.
    11/7/2011 9:58:45 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ATMhelpr eeCtrl Fips intelppm SPBBCDrv SRTSP SRTSPX SYMTDI
    11/7/2011 9:57:22 AM, error: PSched [14105] - QoS [Adapter {A14D5FFA-4DCF-4B75-9FEB-E85075658748}]: The UpperBindings key is missing from the registry.
    11/7/2011 10:33:45 AM, error: Service Control Manager [7001] - The Windows Firewall/Internet Connection Sharing (ICS) service depends on the Network Connections service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    11/7/2011 10:33:45 AM, error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    11/7/2011 10:33:32 AM, error: NETLOGON [5719] - No Domain Controller is available for domain datalink due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
    11/7/2011 10:00:36 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    11/5/2011 3:56:35 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the GoToMyPC service.
    11/5/2011 3:55:53 PM, error: Service Control Manager [7031] - The COM+ System Application service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
    11/5/2011 3:55:46 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: agp440 IdeBusDr IdeChnDr IntelIde
    11/5/2011 12:56:41 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    11/5/2011 12:55:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
    11/5/2011 12:55:17 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD ATMhelpr eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SPBBCDrv SRTSP SRTSPX SYMTDI Tcpip
    11/5/2011 12:55:17 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
    11/5/2011 12:55:17 PM, error: Service Control Manager [7001] - The Messenger service depends on the NetBIOS Interface service which failed to start because of the following error: A device attached to the system is not functioning.
    11/5/2011 12:55:17 PM, error: Service Control Manager [7001] - The K9 Time Synchronization service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/5/2011 12:55:17 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/5/2011 12:55:17 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/5/2011 12:55:17 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBT service which failed to start because of the following error: A device attached to the system is not functioning.
    11/5/2011 12:55:17 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/5/2011 12:55:17 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/5/2011 12:40:21 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD ATMhelpr eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SRTSP SRTSPX SYMTDI Tcpip
    11/5/2011 1:05:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    11/4/2011 3:32:01 PM, error: Service Control Manager [7023] - The 725 service terminated with the following error: The specified procedure could not be found.
    11/4/2011 2:38:15 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/4/2011 2:33:31 PM, error: Service Control Manager [7034] - The Indexing Service service terminated unexpectedly. It has done this 1 time(s).
    11/4/2011 2:33:01 PM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
    11/4/2011 2:32:43 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    11/4/2011 2:32:27 PM, error: Service Control Manager [7034] - The K9 Time Synchronization service terminated unexpectedly. It has done this 1 time(s).
    11/4/2011 2:32:27 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Apple Mobile Device service to connect.
    11/4/2011 2:32:27 PM, error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/4/2011 2:31:50 PM, error: Service Control Manager [7034] - The Uninterruptible Power Supply service terminated unexpectedly. It has done this 1 time(s).
    11/4/2011 2:31:32 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    11/4/2011 2:30:55 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/4/2011 2:25:37 PM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 2 time(s).
    11/4/2011 2:24:09 PM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s).
    11/11/2011 7:49:57 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'SrtETmp' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    11/10/2011 1:40:21 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000003A' while processing the file '_filelst.cfg' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    .
    ==== End Of File ===========================

    Thanks,

    Don
     
  21. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  22. DonD

    DonD TS Rookie Topic Starter Posts: 21

    Hi,

    I got your E-mail to run ComboFix. For some reason your post is not showing up in the thread though?

    I downloaded ComboFix, disabled Malwarebytes, Symantec Endpoint Protection and Windows Firewall. I also disconnected my network cable so the internet is disconnected.

    I ran ComboFix and it created a restore point and then sat there for 10 minutes. So, I remember you saying that ComboFix checks for updates, which means it needs an internet connection, so I plugged my network cable back in. A few minutes later it said it needed to install the Recovery Console. It then proceeded to display messages after each stage of completion. After it displayed the message "Completed State_24" (I think this was the last one it displayed), I got a BSOD 0xCA indicating "Plug and Play detected an error most likely caused by a faulty driver".

    So, I rebooted my computer. But I'm not sure if I should just run it again, or if you suggest I do something else first?

    I did have my iPhone plugged into my computer for charging. Do you think that may have caused a problem?

    Thanks,

    Don
     
  23. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Try to re-run Combofix.
     
  24. DonD

    DonD TS Rookie Topic Starter Posts: 21

    Hi,

    I ran ComboFix again and it ran successfully this time!

    Here's the log file.

    ComboFix 11-11-11.06 - don 11/11/2011 16:38:16.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.382 [GMT -6:00]
    Running from: c:\documents and settings\Don DeVoto\Desktop\ComboFix.exe
    AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\DirectCDUserName.txt
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\Don DeVoto\g2ax_customer_downloadhelper_win32_x86.exe
    c:\documents and settings\Don DeVoto\g2mdlhlpx.exe
    c:\documents and settings\Don DeVoto\WINDOWS
    c:\program files\Internet Explorer\SET233.tmp
    c:\program files\Internet Explorer\SET234.tmp
    c:\program files\Internet Explorer\SET236.tmp
    c:\program files\Internet Explorer\SET44.tmp
    c:\program files\Internet Explorer\SET45.tmp
    c:\program files\Internet Explorer\SET47.tmp
    c:\program files\Internet Explorer\SET56.tmp
    c:\program files\Internet Explorer\SET57.tmp
    c:\program files\Internet Explorer\SET59.tmp
    c:\program files\Internet Explorer\SETAF.tmp
    c:\program files\Internet Explorer\SETB0.tmp
    c:\program files\Internet Explorer\SETB2.tmp
    c:\program files\WinPCap
    c:\program files\WinPCap\daemon_mgm.exe
    c:\program files\WinPCap\INSTALL.LOG
    c:\program files\WinPCap\NetMonInstaller.exe
    c:\program files\WinPCap\npf_mgm.exe
    c:\program files\WinPCap\Uninstall.exe
    c:\windows\dasetup.log
    c:\windows\Downloaded Program Files\ocget.dll
    c:\windows\Downloaded Program Files\RdxIE.dll
    c:\windows\help\wmplayer.bak
    c:\windows\system32\_004388_.tmp.dll
    c:\windows\system32\_004389_.tmp.dll
    c:\windows\system32\_004390_.tmp.dll
    c:\windows\system32\_004391_.tmp.dll
    c:\windows\system32\_004396_.tmp.dll
    c:\windows\system32\_004397_.tmp.dll
    c:\windows\system32\_004398_.tmp.dll
    c:\windows\system32\_004399_.tmp.dll
    c:\windows\system32\_004400_.tmp.dll
    c:\windows\system32\_004401_.tmp.dll
    c:\windows\system32\_004402_.tmp.dll
    c:\windows\system32\_004403_.tmp.dll
    c:\windows\system32\_004404_.tmp.dll
    c:\windows\system32\_004406_.tmp.dll
    c:\windows\system32\_004407_.tmp.dll
    c:\windows\system32\_004409_.tmp.dll
    c:\windows\system32\_004410_.tmp.dll
    c:\windows\system32\_004411_.tmp.dll
    c:\windows\system32\_004413_.tmp.dll
    c:\windows\system32\_004416_.tmp.dll
    c:\windows\system32\_004417_.tmp.dll
    c:\windows\system32\_004419_.tmp.dll
    c:\windows\system32\_004420_.tmp.dll
    c:\windows\system32\_004421_.tmp.dll
    c:\windows\system32\_004422_.tmp.dll
    c:\windows\system32\_004423_.tmp.dll
    c:\windows\system32\_004424_.tmp.dll
    c:\windows\system32\_004425_.tmp.dll
    c:\windows\system32\_004426_.tmp.dll
    c:\windows\system32\_004427_.tmp.dll
    c:\windows\system32\_004429_.tmp.dll
    c:\windows\system32\_004430_.tmp.dll
    c:\windows\system32\_004431_.tmp.dll
    c:\windows\system32\_004432_.tmp.dll
    c:\windows\system32\_004433_.tmp.dll
    c:\windows\system32\_004434_.tmp.dll
    c:\windows\system32\_004435_.tmp.dll
    c:\windows\system32\_004436_.tmp.dll
    c:\windows\system32\_004437_.tmp.dll
    c:\windows\system32\_004438_.tmp.dll
    c:\windows\system32\_004439_.tmp.dll
    c:\windows\system32\_004442_.tmp.dll
    c:\windows\system32\_004443_.tmp.dll
    c:\windows\system32\_004444_.tmp.dll
    c:\windows\system32\_004446_.tmp.dll
    c:\windows\system32\_004447_.tmp.dll
    c:\windows\system32\_004448_.tmp.dll
    c:\windows\system32\_004449_.tmp.dll
    c:\windows\system32\_004450_.tmp.dll
    c:\windows\system32\_004452_.tmp.dll
    c:\windows\system32\_004455_.tmp.dll
    c:\windows\system32\_004456_.tmp.dll
    c:\windows\system32\_004460_.tmp.dll
    c:\windows\system32\_004461_.tmp.dll
    c:\windows\system32\_004463_.tmp.dll
    c:\windows\system32\_004464_.tmp.dll
    c:\windows\system32\_004465_.tmp.dll
    c:\windows\system32\_004466_.tmp.dll
    c:\windows\system32\_004468_.tmp.dll
    c:\windows\system32\_004469_.tmp.dll
    c:\windows\system32\_004470_.tmp.dll
    c:\windows\system32\_004471_.tmp.dll
    c:\windows\system32\_004474_.tmp.dll
    c:\windows\system32\_004475_.tmp.dll
    c:\windows\system32\_004476_.tmp.dll
    c:\windows\system32\_004477_.tmp.dll
    c:\windows\system32\_004478_.tmp.dll
    c:\windows\system32\_004483_.tmp.dll
    c:\windows\system32\_004485_.tmp.dll
    c:\windows\system32\bszip.dll
    c:\windows\system32\drivers\etc\lmhosts
    c:\windows\system32\gotomon.log
    c:\windows\system32\gunzip.exe
    c:\windows\system32\MSMAsk32.ocx
    c:\windows\system32\notepad\notepad.exe
    c:\windows\system32\Packet.dll
    c:\windows\system32\PowerToyReadme.htm
    c:\windows\system32\pthreadVC.dll
    c:\windows\system32\WanPacket.dll
    c:\windows\system32\wpcap.dll
    c:\windows\tsoc.log
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_NPF
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-11 to 2011-11-11 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-10 21:50 . 2011-11-10 21:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
    2011-11-10 21:50 . 2011-11-10 21:50 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2011-11-05 18:26 . 2011-11-05 18:26 -------- d-----w- c:\documents and settings\Don DeVoto\Application Data\Malwarebytes
    2011-11-05 18:26 . 2011-11-05 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-11-05 18:26 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-05 18:26 . 2011-11-11 14:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-11-05 17:50 . 2011-11-05 17:50 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-11-04 21:33 . 2011-11-04 21:34 -------- d-----w- C:\tmp
    2011-11-04 19:20 . 2011-11-04 19:20 -------- d-----w- c:\documents and settings\LocalService\IETldCache
    2011-11-04 16:47 . 2011-11-04 16:50 -------- d-----w- c:\windows\tmp
    2011-11-01 15:43 . 2011-11-01 15:43 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
    2011-11-01 15:43 . 2011-11-01 15:43 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
    2011-11-01 15:43 . 2011-11-01 15:43 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
    2011-11-01 15:43 . 2011-11-01 15:43 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
    2011-11-01 15:43 . 2011-11-01 15:43 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
    2011-11-01 15:43 . 2011-11-01 15:43 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
    2011-11-01 15:43 . 2011-11-01 15:43 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
    2011-11-01 15:42 . 2011-11-01 15:43 -------- d-----w- c:\program files\QuickTime
    2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-10-20 14:16 . 2009-08-12 20:56 70024 ----a-w- c:\windows\system32\drivers\nlem32nt.sys
    2011-10-20 14:16 . 2009-08-12 19:56 30072 ----a-w- c:\windows\system32\sectools.dll
    2011-10-20 14:16 . 2009-08-12 19:56 55160 ----a-w- c:\windows\system32\nlem32nt.dll
    2011-10-20 14:16 . 2009-08-12 19:56 39288 ----a-w- c:\windows\system32\secbuild.dll
    2011-10-14 13:24 . 2011-10-14 13:24 -------- d-----w- c:\program files\iPod
    2011-10-14 13:24 . 2011-10-14 13:25 -------- d-----w- c:\program files\iTunes
    2011-10-14 13:16 . 2011-10-14 13:16 -------- d-----w- c:\program files\Bonjour
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-10 14:22 . 2004-10-14 18:19 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2004-09-26 15:29 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 16:41 . 2001-08-18 13:00 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 16:41 . 2001-08-18 13:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-06 13:20 . 2009-12-07 22:12 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-31 04:05 . 2011-08-31 04:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
    2011-08-31 04:05 . 2011-08-31 04:05 73064 ----a-w- c:\windows\system32\dnssd.dll
    2011-08-22 23:48 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48 . 2004-09-26 15:28 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-08-22 23:48 . 2004-09-26 15:28 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 11:56 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
    2011-08-22 10:39 . 2007-01-23 14:23 52080 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\GoToPrintProcessor.dll
    2011-08-22 10:39 . 2004-12-27 14:12 113008 ----a-w- c:\windows\system32\gotomon.dll
    2011-08-17 13:49 . 2009-12-07 22:12 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "QD FastAndSafe"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-04-04 684032]
    "POINTER"="c:\program files\Microsoft Hardware\Mouse\point32.exe" [2001-08-24 167936]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Outlook.lnk - c:\windows\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\outicon.exe [2001-8-31 114688]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen"= 1 (0x1)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMMyDocs"= 01000000
    "NoSMMyPictures"= 01000000
    "NoNetworkConnections"= 01000000
    "NoStrCmpLogical"= 01000000
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
    2011-08-22 10:39 15216 ----a-w- c:\program files\Expertcity\GoToMyPC\G2WinLogon.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
    TCAUDIAG -off [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
    2008-10-15 02:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
    2003-04-04 14:33 684032 ----a-w- c:\program files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
    2003-02-26 01:27 77887 ----a-w- c:\program files\WordPerfect Office 11\Programs\QFSCHD110.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-10-24 19:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-07-25 10:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    .
    R0 nlem32nt;nlem32nt;c:\windows\system32\drivers\nlem32nt.sys [10/20/2011 8:16 AM 70024]
    R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [4/17/2002 1:02 PM 4064]
    R2 K9;K9 Time Synchronization;c:\windows\system32\k9nt.exe [3/28/2002 4:16 PM 57856]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/5/2011 12:26 PM 366152]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/10/2011 3:48 PM 106104]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/5/2011 12:26 PM 22216]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/5/2010 8:32 AM 136176]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/5/2010 8:32 AM 136176]
    S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-08 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
    .
    2009-09-10 c:\windows\Tasks\b4a_D3 Backups(1).job
    - c:\program files\Softland\Backup4all 3\b4aSchedStarter.exe [2008-05-21 20:50]
    .
    2009-09-10 c:\windows\Tasks\b4a_D3 Backups.job
    - c:\program files\Softland\Backup4all 3\b4aSchedStarter.exe [2008-05-21 20:50]
    .
    2011-11-08 c:\windows\Tasks\b4a_D3 Doc's and Library(1).job
    - c:\program files\Softland\Backup4all 3\b4aSchedStarter.exe [2008-05-21 20:50]
    .
    2011-10-29 c:\windows\Tasks\b4a_D3 Doc's and Library.job
    - c:\program files\Softland\Backup4all 3\b4aSchedStarter.exe [2008-05-21 20:50]
    .
    2008-07-02 c:\windows\Tasks\bkupLogs.job
    - c:\library\bkupLogs\bkupLogs.exe [2011-10-28 14:46]
    .
    2011-11-08 c:\windows\Tasks\cleantmp.job
    - c:\batch files\cleantmp.bat [2002-02-21 19:35]
    .
    2011-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-05 14:32]
    .
    2011-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-05 14:32]
    .
    2011-11-09 c:\windows\Tasks\outlookc.job
    - c:\library\outlookc\outlookc.exe [2011-10-28 14:53]
    .
    2011-11-11 c:\windows\Tasks\ren1.job
    - c:\batch files\ren1.bat [2007-01-22 22:15]
    .
    2011-11-08 c:\windows\Tasks\ren2.job
    - c:\batch files\ren2.bat [2007-01-22 22:15]
    .
    2008-06-29 c:\windows\Tasks\startNtmsSvc.job
    - c:\batch files\startNtmsSvc.bat [2002-12-27 20:17]
    .
    2008-05-21 c:\windows\Tasks\System Backup - Full.job
    - c:\batch files\backupSystem.bat [2004-11-30 14:52]
    .
    2008-05-21 c:\windows\Tasks\System Backup - Incremental.job
    - c:\batch files\backupSystem.bat [2004-11-30 14:52]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    Trusted Zone: microsoft.com\office
    TCP: DhcpNameServer = 192.168.1.18
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab
    DPF: {02E09B2E-2A03-4572-9291-69900C068564} - hxxp://www.learnitcorp.com/cabs/lcsim.cab
    DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} - hxxp://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab
    .
    .
    ------- File Associations -------
    .
    .txt=UltraEdit.txt
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Notify-NavLogon - (no file)
    SafeBoot-Symantec Antvirus
    MSConfigStartUp-NvCplDaemon - c:\windows\system32\NvCpl.dll
    MSConfigStartUp-RealPlayer - c:\program files\Real\RealOne Player\realplay.exe
    MSConfigStartUp-Zone Labs Client - c:\program files\Zone Labs\ZoneAlarm\zlclient.exe
    AddRemove-WinPcapInst - c:\program files\WinPcap\Uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-11 17:21
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet007\Services\vsdatant]
    "ImagePath"="a"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2856520603-3757435101-1358250142-1006\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5C082286-DD56-6B96-110FABAC317C22E3}\{17077DA0-F2D9-EF48-DBC13F521337D931}\{A783887F-564D-BBBA-662193019693FEBC}*]
    "{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,0e,d4,ad,
    79,fd,e7,7d,48,37,b8,88,53,4d,be,a7,78,6f,aa,4a,1f,2c,e8,a5,08,7b,2e,aa,db,\
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D19C1E37-C88F-6D4D-695F1151D26FA9B0}\{82ADB184-4273-F4A9-8B3869F4D9D9F30C}\{3C71EBCF-572C-11DA-DA6A44EB5C52EFBA}*]
    "NRDFOBLVNAUE2QOGEQXAH1Y2DD1"=hex:01,00,01,00,00,00,00,00,b0,0a,ac,41,7a,16,04,
    de,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(540)
    c:\program files\Expertcity\GoToMyPC\G2WinLogon.dll
    .
    - - - - - - - > 'explorer.exe'(2448)
    c:\windows\system32\WININET.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\IEFRAME.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\WinSCP\DragExt.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\System32\Ati2evxx.exe
    c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
    c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Expertcity\GoToMyPC\g2svc.exe
    c:\program files\Expertcity\GoToMyPC\g2comm.exe
    c:\program files\Expertcity\GoToMyPC\g2pre.exe
    c:\program files\Expertcity\GoToMyPC\g2tray.exe
    c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    c:\windows\System32\dllhost.exe
    c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    c:\windows\System32\msdtc.exe
    c:\windows\system32\dllhost.exe
    c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2011-11-11 17:28:37 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-11-11 23:28
    .
    Pre-Run: 40,558,555,136 bytes free
    Post-Run: 42,370,379,776 bytes free
    .
    - - End Of File - - 76B3D7456570EF80FAED83FDE4D5E868

    Let me know what to do next?

    Thanks again for all your help so far!

    Don
     
  25. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    RegNull::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5C082286-DD56-6B96-110FABAC317C22E3}\{17077DA0-F2D9-EF48-DBC13F521337D931}\{A783887F-564D-BBBA-662193019693FEBC}*]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D19C1E37-C88F-6D4D-695F1151D26FA9B0}\{82ADB184-4273-F4A9-8B3869F4D9D9F30C}\{3C71EBCF-572C-11DA-DA6A44EB5C52EFBA}*]
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...