TechSpot

Windows XP and IE 8 redirection virus

By pms1228
Nov 18, 2010
  1. I've never had a virus and now my machine has been hit hard. Currently experiencing an internet redirection virus which I don't know how to remove. Also, I'm not sure if the virus is doing this as well, but I cannot turn on the windows firewall or the ICS service.
    Anyone's help would be greatly appreciated!
    Thanks
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the malware. I've asked the moderator to close your other thread so you're not tempted to post there for this problem.

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. pms1228

    pms1228 TS Rookie Topic Starter

    Logs as requested

    Malware bytes logMalwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 5148

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    11/18/2010 6:14:17 PM
    mbam-log-2010-11-18 (18-14-17).txt

    Scan type: Quick scan
    Objects scanned: 160701
    Time elapsed: 6 minute(s), 35 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> No action taken.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\se-2011-download.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> No action taken.
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\se-2011-payment.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> No action taken.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER log
    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2010-11-18 20:55:24
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS721080G9SA00 rev.MC4OC10H
    Running: pe7uk9d4.exe; Driver: C:\DOCUME~1\Paula\LOCALS~1\Temp\ugryauod.sys


    ---- System - GMER 1.0.15 ----

    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF748E6AE]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF746CA96]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF746CD5E]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF748F04C]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF748F3D6]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF748D8EC]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF748F91A]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF748EA50]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF746C506]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!ZwYieldExecution + 452 804E4CAC 4 Bytes JMP 2417F748

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Internet Explorer\iexplore.exe[200] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[200] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9ACD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[200] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[200] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[200] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254656 C:\WINDOWS\system32\IEFRAME.dll (Internet Expl

    DDS Logs
    DDS.txt
    DDS (Ver_10-11-10.01) - NTFSx86 NETWORK
    Run by Paula at 20:57:23.48 on Thu 11/18/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.617 [GMT -6:00]

    AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Paula\My Documents\downloads\Virus stuff\dds.scr

    ============== Pseudo HJT Report ===============

    uWindow Title = Internet Explorer, optimized for Bing and MSN
    uDefault_Page_URL = hxxp://www.msn.com
    uInternet Settings,ProxyOverride = <local>;127.0.0.1
    uInternet Settings,ProxyServer = http=
    uURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
    BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2317.0\npwinext.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    TB: @c:\program files\msn toolbar\platform\6.3.2317.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2317.0\npwinext.dll
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
    mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
    mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
    mRun: [ISTray] "c:\program files\pc tools security\pctsGui.exe" /hideGUI
    mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35[1].exe" /scan:boot
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {0483894E-2422-45E0-8384-021AFF1AF3CD} - {0483894E-2422-45E0-8384-021AFF1AF3CD}
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
    Trusted Zone: surfright.nl\www
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
    DPF: Web-Based Email Tools - hxxp://email09.secureserver.net/Download.CAB
    DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
    DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://entrepreneur.centra.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
    DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} - hxxp://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
    DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
    DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
    DPF: {56393399-041A-4650-94C7-13DFCB1F4665} - hxxp://ca.com/us/securityadvisor/pestscan/pestscan.cab
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167758081154
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://ca.com/us/securityadvisor/virusinfo/webscan.cab
    DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} - hxxp://cid-6fa626abaa234940.spaces.live.com/PhotoUpload/MsnPUpld.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {A7846ED2-9DE6-4E8A-B116-A8ACEBFA7DB1} - hxxp://rms2.invokesolutions.com/events/bin/6.2.0.1452/MILive.cab
    DPF: {A906CBEA-6FAF-43B8-AE2F-857C5A21884C} - hxxps://mediadownloads.walmart.com/mmce/resources/walmartcheck2.cab
    DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
    DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47}
    DPF: {E065DE4B-6F0E-45FD-B30F-04ED81D5C258} - hxxp://download.microsoft.com/download/0/7/1/0715cb0a-51f5-4d17-b482-e8c457971efa/AppCompR.CAB
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {E856B973-45FD-4559-8F82-EAB539144667} - hxxp://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
    DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} - hxxps://www.plaxo.com/activex/plx_upldr-2k-xp.cab
    DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - hxxp://www.trueswitch.com/TrueInstall.exe
    TCP: {E2B52A10-D3BD-40BD-BFF6-95732E441C4C} = 208.67.222.222,208.67.220.220
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-11-17 237632]
    R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-11-17 338880]
    R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2010-11-17 656320]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 298448]
    R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-11-17 249616]
    S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-11-17 51984]
    S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-11-17 68880]
    S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
    S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-12-22 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 67656]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-10-11 6104656]
    S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-9-10 265400]
    S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    S2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2010-10-1 67904]
    S2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\opencase\opencase media agent\MediaAgent.exe [2007-6-19 597640]
    S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2010-11-17 366840]
    S2 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2010-11-17 1145304]
    S3 AngelUsb;Angel USB MPEG Device;c:\windows\system32\drivers\AngelUsb.sys [2008-10-9 386560]
    S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
    S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2008-2-18 106624]
    S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2008-2-8 59648]
    S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2010-4-10 266544]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
    S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
    S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2010-11-17 70536]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 12872]
    S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-11-17 33552]
    S3 ThreatFire;ThreatFire;c:\program files\pc tools security\tfengine\tfservice.exe service --> c:\program files\pc tools security\tfengine\TFService.exe service [?]

    =============== Created Last 30 ================

    2010-11-19 00:02:58 -------- d-----w- c:\docume~1\paula\applic~1\Malwarebytes
    2010-11-19 00:02:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-19 00:02:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-11-19 00:02:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-19 00:02:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-18 22:16:26 -------- d--h--w- C:\$AVG
    2010-11-18 21:54:49 -------- d-----w- c:\docume~1\paula\applic~1\AVG10
    2010-11-18 21:50:07 -------- d-----w- c:\windows\system32\drivers\AVG
    2010-11-18 21:50:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
    2010-11-18 21:49:25 -------- d-----w- c:\program files\AVG
    2010-11-18 21:37:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
    2010-11-18 20:41:41 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-11-18 20:41:37 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-11-18 20:40:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
    2010-11-17 21:11:30 68880 --s---w- c:\windows\system32\drivers\TfSysMon.sys
    2010-11-17 21:11:30 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
    2010-11-17 21:11:30 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
    2010-11-17 21:08:28 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
    2010-11-17 21:08:28 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
    2010-11-17 21:08:23 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
    2010-11-17 21:07:50 237632 ----a-w- c:\windows\system32\drivers\PCTCore.sys
    2010-11-17 21:07:50 159936 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
    2010-11-17 21:06:52 87400 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
    2010-11-17 21:06:52 31960 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
    2010-11-17 21:06:51 123712 ----a-w- c:\windows\system32\drivers\pctplfw.sys
    2010-11-17 21:06:38 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
    2010-11-17 21:04:08 -------- d-----w- c:\program files\common files\PC Tools
    2010-11-17 21:04:05 -------- d-----w- c:\program files\PC Tools Security
    2010-11-17 21:04:05 -------- d-----w- c:\docume~1\paula\applic~1\PC Tools
    2010-11-17 18:15:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
    2010-11-16 18:13:50 -------- d-----w- c:\program files\ESET
    2010-11-16 17:25:13 -------- d-----w- c:\docume~1\paula\locals~1\applic~1\Dell
    2010-11-13 20:07:19 -------- d-sh--w- C:\found.000
    2010-10-22 22:26:40 -------- d-----w- c:\program files\Cisco Systems
    2010-10-22 22:21:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\Cisco Systems

    ==================== Find3M ====================

    2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-01 07:52:50 67904 ----a-w- c:\windows\system32\NLSSRV32.EXE
    2010-10-01 07:50:52 17728 ----a-w- c:\windows\system32\nitrolocalui.dll
    2010-10-01 07:50:50 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll
    2010-09-21 21:52:21 73728 ----a-w- c:\documents and settings\paula\zlib.dll
    2010-09-21 21:52:21 585728 ----a-w- c:\documents and settings\paula\HPAsset.exe
    2010-09-21 21:52:21 36208 ----a-w- c:\documents and settings\paula\Dscan16.dll
    2010-09-21 21:52:21 2855 ----a-w- c:\documents and settings\paula\Smstub16.pif
    2010-09-21 21:52:21 17477 ----a-w- c:\documents and settings\paula\Smstub16.exe
    2010-09-21 21:52:20 40960 ----a-w- c:\documents and settings\paula\hpmonZ.exe
    2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-31 01:43:57 256 ----a-w- c:\documents and settings\paula\pool.bin
    2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
    2004-03-01 20:58:18 561424 ----a-w- c:\program files\common files\dao360.dll

    ============= FINISH: 20:58:52.42 ===============

    attach.txt
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-11-10.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 12/31/2006 7:42:25 PM
    System Uptime: 11/18/2010 6:15:47 PM (2 hours ago)

    Motherboard: Dell Inc. | |
    Processor: Genuine Intel(R) CPU T2500 @ 2.00GHz | Microprocessor | 1995/166mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 51 GiB total, 5.71 GiB free.
    D: is FIXED (NTFS) - 17 GiB total, 11.013 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1623: 9/29/2010 3:00:22 AM - Software Distribution Service 3.0
    RP1624: 10/1/2010 3:45:11 PM - Installed Microsoft Office Outlook Connector
    RP1625: 10/2/2010 9:03:25 PM - System Checkpoint
    RP1626: 10/3/2010 9:02:09 PM - RegCure Backup
    RP1627: 10/9/2010 8:29:40 AM - Software Distribution Service 3.0
    RP1628: 10/9/2010 1:42:51 PM - Installed Nitro PDF Professional
    RP1629: 10/9/2010 2:03:46 PM - Removed Nitro PDF Professional
    RP1630: 10/10/2010 3:00:23 AM - Software Distribution Service 3.0
    RP1631: 10/10/2010 8:25:02 AM - Software Distribution Service 3.0
    RP1632: 10/10/2010 11:59:02 AM - Software Distribution Service 3.0
    RP1633: 10/11/2010 8:26:04 AM - Software Distribution Service 3.0
    RP1634: 10/12/2010 8:25:51 AM - Software Distribution Service 3.0
    RP1635: 10/13/2010 8:25:57 AM - Software Distribution Service 3.0
    RP1636: 10/13/2010 9:02:34 PM - RegCure Backup
    RP1637: 10/14/2010 3:00:26 AM - Software Distribution Service 3.0
    RP1638: 10/15/2010 3:33:07 AM - Software Distribution Service 3.0
    RP1639: 10/16/2010 3:33:51 AM - Software Distribution Service 3.0
    RP1640: 10/17/2010 3:33:50 AM - Software Distribution Service 3.0
    RP1641: 10/17/2010 11:54:35 AM - Software Distribution Service 3.0
    RP1642: 10/18/2010 12:03:36 PM - System Checkpoint
    RP1643: 10/18/2010 9:03:23 PM - RegCure Backup
    RP1644: 10/19/2010 7:09:20 AM - Software Distribution Service 3.0
    RP1645: 10/20/2010 7:45:36 AM - System Checkpoint
    RP1646: 10/21/2010 7:22:14 PM - System Checkpoint
    RP1647: 10/22/2010 7:26:35 PM - System Checkpoint
    RP1648: 10/23/2010 8:26:34 PM - System Checkpoint
    RP1649: 10/24/2010 9:26:34 PM - System Checkpoint
    RP1650: 10/25/2010 6:55:05 PM - Software Distribution Service 3.0
    RP1651: 10/26/2010 7:25:54 PM - System Checkpoint
    RP1652: 10/27/2010 6:55:53 AM - Software Distribution Service 3.0
    RP1653: 10/28/2010 7:29:07 AM - Software Distribution Service 3.0
    RP1654: 10/28/2010 9:03:24 PM - RegCure Backup
    RP1655: 10/29/2010 3:48:45 PM - Software Distribution Service 3.0
    RP1656: 10/30/2010 3:48:59 PM - Software Distribution Service 3.0
    RP1657: 10/31/2010 12:04:38 PM - Software Distribution Service 3.0
    RP1658: 11/1/2010 12:19:33 PM - System Checkpoint
    RP1659: 11/9/2010 1:34:48 PM - Software Distribution Service 3.0
    RP1660: 11/10/2010 3:00:25 AM - Software Distribution Service 3.0
    RP1661: 11/11/2010 3:26:05 AM - System Checkpoint
    RP1662: 11/11/2010 3:30:21 AM - Software Distribution Service 3.0
    RP1663: 11/12/2010 3:29:45 AM - Software Distribution Service 3.0
    RP1664: 11/13/2010 3:30:28 AM - Software Distribution Service 3.0
    RP1665: 11/14/2010 7:57:11 AM - Software Distribution Service 3.0
    RP1666: 11/15/2010 7:51:57 AM - Software Distribution Service 3.0
    RP1667: 11/16/2010 11:24:53 AM - RegCure Backup
    RP1668: 11/17/2010 12:14:24 PM - Microsoft Antimalware Checkpoint
    RP1669: 11/18/2010 3:48:58 PM - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    RP1670: 11/18/2010 3:49:24 PM - Installed AVG 2011
    RP1671: 11/18/2010 3:49:54 PM - Installed AVG 2011

    ==== Installed Programs ======================

    A-PDF Restrictions Remover 1.5
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Photoshop Elements 6.0
    Adobe Reader 9.3.4
    Adobe Shockwave Player
    AVG 2011
    AVS Cover Editor 1.3.1.79 (AVSMedia)
    AVS DVD Copy version 1.4
    BiAdmin
    Bing Bar
    Bing Bar Platform
    Bing Rewards Client Installer
    BlackBerry Desktop Software 6.0
    Broadcom 440x 10/100 Integrated Controller
    Business Contact Manager for Outlook 2007 SP2
    CCleaner
    Centra Client
    Cisco Connect
    Conexant HDA D110 MDC V.92 Modem
    Constant Contact QuickImport v2 for Outlook
    Coupon Printer for Windows
    Crash Analysis Tool
    Definition update for Microsoft Office 2010 (KB982726)
    Dell Automated PC TuneUp
    Dell Driver Download Manager
    Dell ResourceCD
    Dell Support Center (Support Software)
    DellConnect
    DellSupport
    DIGOpt
    Dr Watson for Microsoft Windows OneCare Live v1.1.1067.14
    Driver Installer
    DVD Identifier
    ESET Online Scanner v3
    Form Fill (Windows Live Toolbar)
    Garmin USB Drivers
    Garmin WebUpdater
    GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
    Google Earth
    GoToAssist 8.0.0.514
    GoToMeeting 4.0.0.320
    Hitman Pro 3.5
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows XP (KB954550-v5)
    HP Deskjet 6500
    HP Deskjet 6500 Series
    HP Driver Diagnostics
    hp officejet 6100 series
    HP Photo and Imaging 2.0 - All-in-One
    HP Photo and Imaging 2.0 - All-in-One Drivers
    HP Photo and Imaging 2.0 - hp officejet 6100 series
    HP QuickSync
    HP Update
    ImgBurn
    Install Font
    Intel(R) PROSet/Wireless Software
    InterActual Player
    Java Auto Updater
    Java(TM) 6 Update 19
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Junk Mail filter update
    Live Search Maps Add-In for Microsoft Office Outlook
    LiveUpdate (Symantec Corporation)
    Malwarebytes' Anti-Malware
    Map Button (Windows Live Toolbar)
    McAfee Security Scan Plus
    mCore
    mDriver
    mDrWiFi
    mHlpDell
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft ActiveSync
    Microsoft Automated Troubleshooting Services Shim
    Microsoft Choice Guard
    Microsoft Default Manager
    Microsoft Easy Assist v2
    Microsoft Fix it Center
    Microsoft Office 2007 Primary Interop Assemblies
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Live Add-in 1.4
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook Connector
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Single Image 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Picture It! Publishing Platinum 2002
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 14
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
    Microsoft SQL Server Native Client
    Microsoft SQL Server Setup Support Files (English)
    Microsoft SQL Server VSS Writer
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft Text-to-Speech Engine 4.0 (English)
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    mIWA
    mLogView
    mMHouse
    Motorola Driver Installation
    Move Media Player
    mPfMgr
    mPfWiz
    mProSafe
    mSCfg
    MSN
    mSSO
    MSVCRT
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    MSXML 6.0 Parser (KB933579)
    mWlsSafe
    mWMI
    mZConfig
    Nokia Connectivity Adapter Cable DKU-5
    NVIDIA Drivers
    OFX Writer
    OneCare Advisor (Windows Live Toolbar)
    OpenCASE Media Agent
    OpenOffice.org Installer 1.0
    Popup Blocker (Windows Live Toolbar)
    PowerDVD 5.7
    PrimoPDF
    Print Server Driver
    QBFC 4.0
    Quicken 2010
    QuickSet
    RegCure
    Rhapsody Player Engine
    Roxio DLA
    Roxio MyDVD LE
    Roxio RecordNow Audio
    Roxio RecordNow Copy
    Roxio RecordNow Data
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office 2010 (KB2289161)
    Security Update for Microsoft Word 2010 (KB2345000)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB923689)
    Segoe UI
    SigmaTel Audio
    Smart Menus (Windows Live Toolbar)
    Sonic Encoders
    Sonic Update Manager
    Sound Blaster ADVANCED MB Drivers
    Spyware Doctor with AntiVirus 8.0
    SUPERAntiSpyware Free Edition
    SupportSoft Assisted Service
    TrueSwitch Wizard MSN
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2010 (KB2202188)
    Update for Microsoft OneNote 2010 (KB2288640)
    Update for Microsoft Outlook Social Connector (KB2289116)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows Internet Explorer 8 (KB980302)
    Virtools 3D Life Player
    VZAccess Manager for RIM
    WebCyberCoach 3.2 Dell
    WebFldrs XP
    WIDCOMM Bluetooth Software
    Windows 7 Upgrade Advisor
    Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
    Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Mail
    Windows Live Messenger
    Windows Live OneCare safety scanner
    Windows Live Outlook Toolbar (Windows Live Toolbar)
    Windows Live Photo Gallery
    Windows Live Sync
    Windows Live Toolbar
    Windows Live Toolbar Extension (Windows Live Toolbar)
    Windows Live Toolbar Feed Detector (Windows Live Toolbar)
    Windows Live Upload Tool
    Windows Live Writer
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Presentation Foundation
    Windows Resource Kit Tools - SubInAcl.exe
    Windows Search 4.0
    XML Paper Specification Shared Components Pack 1.0

    ==== Event Viewer Messages From Past Week ========

    11/18/2010 5:49:18 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the OpenCASE Media Agent service to connect.
    11/18/2010 5:49:18 PM, error: Service Control Manager [7000] - The OpenCASE Media Agent service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/18/2010 5:39:53 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV Avgldx86 Avgmfx86 Fips intelppm OMCI SASDIFSV SASKUTIL TfFsMon TfSysMon
    11/18/2010 5:15:12 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WSearch service.
    11/18/2010 3:25:09 PM, error: Service Control Manager [7024] - The Hitman Pro 3.5 Crusader (Boot) service terminated with service-specific error 0 (0x0).
    11/18/2010 3:18:59 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    11/18/2010 2:35:40 PM, error: Service Control Manager [7034] - The Windows Audio service terminated unexpectedly. It has done this 1 time(s).
    11/18/2010 2:35:40 PM, error: Service Control Manager [7034] - The Server service terminated unexpectedly. It has done this 1 time(s).
    11/18/2010 2:35:40 PM, error: Service Control Manager [7034] - The Logical Disk Manager service terminated unexpectedly. It has done this 1 time(s).
    11/18/2010 2:35:40 PM, error: Service Control Manager [7034] - The IPv6 Helper Service service terminated unexpectedly. It has done this 1 time(s).
    11/18/2010 2:35:40 PM, error: Service Control Manager [7034] - The HID Input Service service terminated unexpectedly. It has done this 1 time(s).
    11/18/2010 2:35:40 PM, error: Service Control Manager [7034] - The Fast User Switching Compatibility service terminated unexpectedly. It has done this 1 time(s).
    11/18/2010 2:35:40 PM, error: Service Control Manager [7034] - The Error Reporting Service service terminated unexpectedly. It has done this 1 time(s).
    11/18/2010 2:35:40 PM, error: Service Control Manager [7034] - The DHCP Client service terminated unexpectedly. It has done this 1 time(s).
    11/18/2010 2:35:40 PM, error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 1 time(s).
    11/18/2010 2:35:40 PM, error: Service Control Manager [7034] - The Computer Browser service terminated unexpectedly. It has done this 1 time(s).
    11/18/2010 2:35:40 PM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 1 time(s).
    11/18/2010 2:35:40 PM, error: Service Control Manager [7031] - The Help and Support service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
    11/18/2010 2:35:40 PM, error: Service Control Manager [7031] - The Background Intelligent Transfer Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/18/2010 2:08:27 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.
    11/18/2010 2:08:27 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service LiveUpdate with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
    11/18/2010 2:03:52 PM, error: Service Control Manager [7000] - The Office Software Protection Platform service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/18/2010 2:03:48 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Office Software Protection Platform service to connect.
    11/18/2010 1:53:26 PM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The system cannot find the file specified.
    11/17/2010 6:03:27 PM, error: Service Control Manager [7024] - The Routing and Remote Access service terminated with service-specific error 340 (0x154).
    11/17/2010 6:02:26 PM, error: Service Control Manager [7001] - The Fax service depends on the Print Spooler service which failed to start because of the following error: The system cannot find the file specified.
    11/17/2010 6:02:26 PM, error: Service Control Manager [7000] - The Print Spooler service failed to start due to the following error: The system cannot find the file specified.
    11/17/2010 5:56:32 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
    11/17/2010 5:53:54 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    11/17/2010 5:37:53 PM, error: Microsoft Antimalware [2001] -
    11/17/2010 5:29:43 PM, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.
    11/17/2010 5:15:02 PM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: Access is denied.
    11/17/2010 2:17:05 PM, error: DCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {BA126AD1-2166-11D1-B1D0-00805FC1270E} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
    11/17/2010 10:19:55 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    11/16/2010 2:27:26 PM, error: DCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {E85062FB-914A-40A2-8801-5DD803045204} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
    11/16/2010 2:27:26 PM, error: DCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
    11/16/2010 2:21:13 PM, error: Service Control Manager [7023] - The Remote Access Connection Manager service terminated with the following error: Incorrect function.
    11/16/2010 2:21:13 PM, error: Rasman [20033] - Remote Access Connection Manager failed to start because it could not register with the local security authority. Restart the computer. Incorrect function.
    11/16/2010 2:21:10 PM, error: Service Control Manager [7024] - The Routing and Remote Access service terminated with service-specific error 711 (0x2C7).
    11/16/2010 2:21:08 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not start due to a logon failure.
    11/16/2010 2:21:06 PM, error: Service Control Manager [7038] - The ALG service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: The handle is invalid. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
    11/16/2010 2:20:50 PM, error: Service Control Manager [7024] - The Remote Access Connection Manager service terminated with service-specific error 3221356592 (0xC0020030).
    11/16/2010 2:20:46 PM, error: Service Control Manager [7000] - The SSDP Discovery Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/16/2010 2:20:43 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the SSDP Discovery Service service to connect.
    11/16/2010 2:19:41 PM, error: Service Control Manager [7023] - The Business Contact Manager SQL Server Startup Service service terminated with the following error: %%2147943453
    11/16/2010 2:19:41 PM, error: Service Control Manager [7000] - The SQL Server (MSSMLBIZ) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/16/2010 2:19:39 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the SQL Server (MSSMLBIZ) service to connect.
    11/16/2010 2:16:56 PM, error: Service Control Manager [7001] - The Media Center Extender Service service depends on the SSDP Discovery Service service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
    11/16/2010 2:16:55 PM, error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/16/2010 2:16:54 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Search service to connect.
    11/16/2010 2:16:33 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.
    11/16/2010 2:16:33 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Live ID Sign-in Assistant service to connect.
    11/16/2010 2:16:33 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the SQL Server Browser service to connect.
    11/16/2010 2:16:33 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Intel(R) PROSet/Wireless SSO Service service to connect.
    11/16/2010 2:16:33 PM, error: Service Control Manager [7000] - The Windows Live ID Sign-in Assistant service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/16/2010 2:16:33 PM, error: Service Control Manager [7000] - The SQL Server Browser service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/16/2010 2:16:33 PM, error: Service Control Manager [7000] - The Intel(R) PROSet/Wireless SSO Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/14/2010 7:47:04 AM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
    11/13/2010 9:11:06 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    11/13/2010 9:09:49 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
    11/13/2010 9:07:53 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    11/13/2010 8:35:14 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD APPDRV Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT OMCI RasAcd Rdbss SASDIFSV SASKUTIL Tcpip Tcpip6
    11/13/2010 8:35:14 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    11/13/2010 8:35:14 AM, error: Service Control Manager [7001] - The IPv6 Helper Service service depends on the Microsoft IPv6 Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/13/2010 8:35:14 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/13/2010 8:35:14 AM, error: Service Control Manager [7001] - The IP Traffic Filter Driver service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/13/2010 8:35:14 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/13/2010 8:35:14 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    11/13/2010 2:04:02 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    11/13/2010 1:52:10 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

    ==== End Of File ===========================
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The Malwarebytes log shows No action taken. This means you did not follow this in the directions:
    Be sure that everything is checked, and click Remove Selected.

    So the malware it found wasn't removed. Please update Mbam and run again, taking care to check for removal. Post the new log.
     
  5. pms1228

    pms1228 TS Rookie Topic Starter

    Malwarebytes removal log

    I was afraid I attached the wrong log (and I did). When it completed there two logs and I attached the first one. Here is the correct log.

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 5148

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    11/18/2010 6:14:41 PM
    mbam-log-2010-11-18 (18-14-41).txt

    Scan type: Quick scan
    Objects scanned: 160701
    Time elapsed: 6 minute(s), 35 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\se-2011-download.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\se-2011-payment.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Some Housekeeping to start:
    You have multiple antivirus programs running:I You need to get this down so that there is only 1 antivirus program running. Multiple AV programs make a system more vulnerable, not less. I have listed them along with a removal tool. Download the removal tools for those you don't want to keep and save it to your desktop- don't run yet:
    Note: Follow directions for each removal tool.
    If you paid for AVG 2011, you might want to remove the free programs.

    After you have gotten the downloads you need and saved them to the desktop:>>
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    • Double click each removal tool to run
    • Continue until all but the one AV you want remains
    • Check Add/Remove Programs in the Control Panel. If any of the AV programs you removed still show, highlight> Uninstall
      Note: While in Add/Remove Programs, include Hitman Pro in the uninstall

    Using Windows Explorer: Windows key + E> From within Windows explorer:
    • Click on My Computer> Double click Local Drive (C)> Programs
    • Find the Program for each of the antivirus (or suite names) you uninstalled and do a right click> Delete on each.
      Note: While in Programs> include Hitman Pro in the right click> Delete of program folder.
    • Exit Windows Explorer
    • Reboot into Normal Mode
    ===========================================
    You have 4 outdated versions of Java, all vunerabilitities The following program will remove them all:
    Please download JavaRa and unzip it to your desktop.

    Important!
    ***Please close any instances of Internet Explorer before continuing!***
    • Double-click on JavaRa.exe to start the program.
    • From the drop-down menu, choose English and click on Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that
      a logfile has been produced. Click OK.
    • A logfile will pop up. Please save it to a convenient location.

    Then download and install then most current version and update of Java Runtime
    Environment (JRE)
    HERE.

    Let me know when you have finished this and I will take you to the next step. If you have any questions about the instructions, stop and ask. I note that you have RegCure installed. Most of us don't recommend a Registry cleaner and I would recommend that you uninstall it. If you choose to keep it, please disable it while we are cleaning the system.
     
  7. pms1228

    pms1228 TS Rookie Topic Starter

    Removal of security programs and old Java versions is completed

    I have gone through the steps you have outlined.
    Paula
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, you should be moving a bit better. Be sure you have rebooted the computer since completing the above:

    Run TFC (Temp File Cleaner)
    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
    Empty the Recycle Bin
    =======================================
    Let's see what you picked up while you had all the AV programs:Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ====================================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
     
  9. pms1228

    pms1228 TS Rookie Topic Starter

    logs for estscan and combofix

    estscan
    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=76b3e7cf37cd574484defbaec6cef9fa
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-11-20 02:06:52
    # local_time=2010-11-19 08:06:52 (-0600, Central Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=78232
    # found=0
    # cleaned=0
    # scan_time=2194


    combofix
    ComboFix 10-11-19.01 - Paula 11/19/2010 21:09:13.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.558 [GMT -6:00]
    Running from: c:\documents and settings\Paula\My Documents\downloads\Virus stuff\ComboFix.exe
    AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\DELL\ATAPI.EXE
    c:\documents and settings\DELL\TrueInstallMSN.exe
    c:\documents and settings\DELL\UWAKEOFF.EXE
    c:\documents and settings\DELL\UWAKEON.EXE
    c:\documents and settings\Paula\Application Data\install
    c:\documents and settings\Paula\g2mdlhlpx.exe
    c:\documents and settings\Paula\GoToAssistDownloadHelper.exe
    c:\documents and settings\Paula\My Documents\DPE.DUS
    c:\documents and settings\Paula\zlib.dll
    C:\Microsoft
    c:\microsoft\WindowsDefender.msi
    c:\program files\version.txt
    c:\windows\Downloaded Program Files\ODCTOOLS
    c:\windows\Downloaded Program Files\ODCTOOLS\ef6b26db-344d-4ad3-ba24-aca0bdaa999a.cab
    c:\windows\Downloaded Program Files\ODCTOOLS\f04d289f-c60a-422b-8396-6c372047042e.cab
    c:\windows\MailSwitch.ocx
    c:\windows\system32\BSTIEPrintCtl1.dll
    c:\windows\system32\drivers\1028_DELL_XPS_MM061 .MRK
    c:\windows\system32\drivers\DELL_XPS_MM061 .MRK
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At10.job
    c:\windows\Tasks\At11.job
    c:\windows\Tasks\At12.job
    c:\windows\Tasks\At13.job
    c:\windows\Tasks\At14.job
    c:\windows\Tasks\At15.job
    c:\windows\Tasks\At16.job
    c:\windows\Tasks\At17.job
    c:\windows\Tasks\At18.job
    c:\windows\Tasks\At19.job
    c:\windows\Tasks\At2.job
    c:\windows\Tasks\At20.job
    c:\windows\Tasks\At21.job
    c:\windows\Tasks\At22.job
    c:\windows\Tasks\At23.job
    c:\windows\Tasks\At24.job
    c:\windows\Tasks\At3.job
    c:\windows\Tasks\At4.job
    c:\windows\Tasks\At5.job
    c:\windows\Tasks\At6.job
    c:\windows\Tasks\At7.job
    c:\windows\Tasks\At8.job
    c:\windows\Tasks\At9.job
    D:\install.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-10-20 to 2010-11-20 )))))))))))))))))))))))))))))))
    .

    2010-11-19 22:39 . 2010-11-19 22:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-19 00:02 . 2010-11-19 00:02 -------- d-----w- c:\documents and settings\Paula\Application Data\Malwarebytes
    2010-11-19 00:02 . 2010-11-19 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-11-18 22:16 . 2010-11-18 22:16 -------- d-----w- C:\$AVG
    2010-11-18 21:54 . 2010-11-18 21:54 -------- d-----w- c:\documents and settings\Paula\Application Data\AVG10
    2010-11-18 21:50 . 2010-11-19 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
    2010-11-18 21:37 . 2010-11-18 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2010-11-18 20:41 . 2010-11-18 21:30 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-11-18 20:40 . 2010-11-18 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2010-11-17 18:15 . 2010-11-19 21:27 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2010-11-16 17:25 . 2010-11-16 17:25 -------- d-----w- c:\documents and settings\Paula\Local Settings\Application Data\Dell
    2010-11-13 20:07 . 2010-11-13 20:07 -------- d-----w- C:\found.000
    2010-11-13 14:34 . 2010-11-13 15:05 -------- d-----w- c:\documents and settings\Administrator
    2010-10-22 22:26 . 2010-10-25 17:44 -------- d-----w- c:\program files\Cisco Systems
    2010-10-22 22:21 . 2010-10-22 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco Systems

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-19 22:39 . 2008-02-01 19:21 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-10-19 20:51 . 2010-04-03 16:31 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-01 07:52 . 2010-10-01 07:52 67904 ----a-w- c:\windows\system32\NLSSRV32.EXE
    2010-10-01 07:50 . 2010-06-14 23:02 17728 ----a-w- c:\windows\system32\nitrolocalui.dll
    2010-10-01 07:50 . 2010-06-14 23:02 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll
    2010-09-21 21:52 . 2010-09-21 21:52 36208 ----a-w- c:\documents and settings\Paula\Dscan16.dll
    2010-09-21 21:52 . 2010-09-21 21:52 2855 ----a-w- c:\documents and settings\Paula\Smstub16.pif
    2010-09-21 21:52 . 2010-09-21 21:52 17477 ----a-w- c:\documents and settings\Paula\Smstub16.exe
    2010-09-21 21:52 . 2010-09-21 21:52 585728 ----a-w- c:\documents and settings\Paula\HPAsset.exe
    2010-09-21 21:52 . 2010-09-21 21:52 40960 ----a-w- c:\documents and settings\Paula\hpmonZ.exe
    2010-09-18 17:23 . 2004-08-10 11:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2004-08-10 11:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2004-08-10 11:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2004-08-10 11:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:58 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2004-08-10 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2004-08-10 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-09-01 11:51 . 2004-08-10 11:00 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2004-08-10 11:00 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-31 01:43 . 2009-06-18 13:21 256 ----a-w- c:\documents and settings\Paula\pool.bin
    2010-08-27 08:02 . 2004-08-10 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2004-08-10 11:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:39 . 2004-08-10 11:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-04-15 02:48 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12 . 2004-08-10 11:00 617472 ----a-w- c:\windows\system32\comctl32.dll
    2004-03-01 20:58 . 2004-03-01 20:58 561424 ----a-w- c:\program files\Common Files\dao360.dll
    .

    ------- Sigcheck -------

    [7] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
    [7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe
    [7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe

    c:\windows\System32\spoolsv.exe ... is missing !!
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-11-14 2424560]
    "ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2010-06-23 1699128]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVHotkey"="nvHotkey.dll" [2006-05-01 73728]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-01 7561216]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
    "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
    "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2010-05-11 21:39 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    2008-06-17 20:12 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bing Bar]
    2010-09-15 22:12 273672 ----a-w- c:\program files\MSN Toolbar\Platform\6.3.2317.0\mswinext.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
    2007-05-14 20:23 1191936 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
    2009-05-21 15:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
    2006-11-13 18:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
    2007-10-08 20:13 1101824 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
    2007-10-08 20:18 995328 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
    2006-09-11 09:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2006-09-11 09:40 218032 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
    2010-05-10 19:12 439568 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2006-05-01 20:46 1519616 ----a-w- c:\windows\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Syncables]
    2010-01-25 13:55 530736 ----a-w- c:\program files\Hewlett-Packard\HP QuickSync\QuickSync.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "usnjsvc"=3 (0x3)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\msiexec.exe"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Adobe\\Photoshop Elements 6.0\\AdobePhotoshopElementsMediaServer.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
    "c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
    "c:\\WINDOWS\\system32\\javaw.exe"=
    "c:\\Program Files\\Hewlett-Packard\\HP QuickSync\\jre\\bin\\javaw.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    "5353:UDP"= 5353:UDP:Java(TM) Platform SE binary
    "8182:TCP"= 8182:TCP:Java(TM) Platform SE binary
    "3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
    "3540:UDP"= 3540:UDP:peer Name Resolution Protocol (PNRP)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/22/2008 11:06 AM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 11:05 AM 67656]
    R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [10/1/2010 1:52 AM 67904]
    R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCase\OpenCASE Media Agent\MediaAgent.exe [6/19/2007 12:35 PM 597640]
    S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
    S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
    S3 AngelUsb;Angel USB MPEG Device;c:\windows\system32\drivers\AngelUsb.sys [10/9/2008 5:37 PM 386560]
    S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2/18/2008 3:14 PM 106624]
    S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2/8/2008 11:00 AM 59648]
    S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [4/10/2010 4:05 PM 266544]
    S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 11:06 AM 12872]
    S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-20 c:\windows\Tasks\ConfigExec.job
    - c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 22:05]

    2010-11-20 c:\windows\Tasks\DataUpload.job
    - c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 22:05]

    2010-11-20 c:\windows\Tasks\User_Feed_Synchronization-{CDC5A832-D7C0-4888-9457-2C57B7600603}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = <local>;127.0.0.1
    uInternet Settings,ProxyServer = http=
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
    Trusted Zone: surfright.nl\www
    TCP: {E2B52A10-D3BD-40BD-BFF6-95732E441C4C} = 208.67.222.222,208.67.220.220
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
    DPF: Web-Based Email Tools - hxxp://email09.secureserver.net/Download.CAB
    DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://entrepreneur.centra.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
    DPF: {A7846ED2-9DE6-4E8A-B116-A8ACEBFA7DB1} - hxxp://rms2.invokesolutions.com/events/bin/6.2.0.1452/MILive.cab
    DPF: {A906CBEA-6FAF-43B8-AE2F-857C5A21884C} - hxxps://mediadownloads.walmart.com/mmce/resources/walmartcheck2.cab
    DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47}
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)
    WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
    MSConfigStartUp-MSSE - c:\program files\Microsoft Security Essentials\msseces.exe
    MSConfigStartUp-SigmatelSysTrayApp - %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
    AddRemove-LiveUpdate - c:\program files\Symantec\LiveUpdate\LSETUP.EXE
    AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



    **************************************************************************
    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files:

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1454471165-823518204-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1064)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
    c:\windows\system32\netprovcredman.dll
    .
    Completion time: 2010-11-19 21:16:58
    ComboFix-quarantined-files.txt 2010-11-20 03:16

    Pre-Run: 16,970,166,272 bytes free
    Post-Run: 16,900,726,784 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

    - - End Of File - - D71E6D87D1943CBFBE168DC8DCC292B5
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Disable the AVG Resident Shield before running the Combofix script:

    Please open the AVG Control Center
    • Double-click on the "AVG Resident Shield" component [​IMG])
    • Uncheck the "Turn on AVG Resident Shield"
    • Save the setting.

    To re-enable the AVG Resident Shield after the scans:
    • Open the AVG Control Cente
    • Double-click on the "AVG Resident Shield" component
    • Check the "Turn on AVG Resident Shield"
    • Save the setting.
    ===========================================
    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\windows\system32\drivers\hitmanpro35.sys
    c:\windows\system32\drivers\TfSysMon.sys
    c:\windows\system32\drivers\TfFsMon.sys
    c:\windows\system32\drivers\TfNetMon.sys
    c:\program files\pc tools security\tfengine\tfservice.exe service
    c:\windows\system32\netprovcredman.dll
    
    Folder::
    c:\program files\Hitman Pro 3.5
    c:\docume~1\alluse~1\applic~1\Hitman Pro
    c:\documents and settings\All Users\Application Data\Hitman Pro
    C:\found.000
    
    DDS::
    uInternet Settings,ProxyServer = http=
    uURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35[1].exe" /scan:boot
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
    Trusted Zone: surfright.nl\www
    DPF: {56393399-041A-4650-94C7-13DFCB1F4665} - hxxp://ca.com/us/securityadvisor/pestscan/pestscan.cab
    DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://ca.com/us/securityadvisor/virusinfo/webscan.cab
    DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47}
    SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    
    Driver::
    ThreatFire
    TfFsMon
    TfSysMon
    TfNetMon
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.

    Reboot and follow with instructions in next post.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    When the script through Combofix has been completed, please repat the Security Check:

    Download Security Check by screen317 from HERE or HERE .
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    ==========================================
    Download the HijackThis Installer and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  12. pms1228

    pms1228 TS Rookie Topic Starter

    Combox fix log

    ComboFix 10-11-19.01 - Paula 11/22/2010 7:35.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.580 [GMT -6:00]
    Running from: c:\documents and settings\Paula\My Documents\downloads\Virus stuff\ComboFix.exe
    Command switches used :: c:\documents and settings\Paula\My Documents\downloads\Virus stuff\cfscript.txt

    FILE ::
    "c:\program files\pc tools security\tfengine\tfservice.exe service c:\windows\system32\netprovcredman.dll"
    "c:\windows\system32\drivers\hitmanpro35.sys"
    "c:\windows\system32\drivers\TfFsMon.sys"
    "c:\windows\system32\drivers\TfNetMon.sys"
    "c:\windows\system32\drivers\TfSysMon.sys"
    .
    ADS - WINDOWS: deleted 128 bytes in 1 streams.

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\found.000
    c:\found.000\dir0000.chk\HIP_ABC.GIF
    c:\found.000\dir0000.chk\HIPUSER.HTM
    c:\windows\system32\drivers\hitmanpro35.sys

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_TFFSMON
    -------\Legacy_TFNETMON
    -------\Legacy_TFSYSMON
    -------\Service_TfFsMon
    -------\Service_TfNetMon
    -------\Service_TfSysMon


    ((((((((((((((((((((((((( Files Created from 2010-10-22 to 2010-11-22 )))))))))))))))))))))))))))))))
    .

    2010-11-22 13:24 . 2010-11-22 13:24 -------- d-----w- c:\documents and settings\Paula\Application Data\AVG10
    2010-11-22 13:20 . 2010-11-22 13:20 -------- d-----w- c:\program files\AVG
    2010-11-19 22:39 . 2010-11-19 22:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-19 00:02 . 2010-11-19 00:02 -------- d-----w- c:\documents and settings\Paula\Application Data\Malwarebytes
    2010-11-19 00:02 . 2010-11-19 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-11-18 22:16 . 2010-11-18 22:16 -------- d-----w- C:\$AVG
    2010-11-18 21:50 . 2010-11-22 13:26 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
    2010-11-18 21:37 . 2010-11-18 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2010-11-18 20:40 . 2010-11-18 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2010-11-17 18:15 . 2010-11-19 21:27 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2010-11-16 17:25 . 2010-11-16 17:25 -------- d-----w- c:\documents and settings\Paula\Local Settings\Application Data\Dell
    2010-11-13 14:34 . 2010-11-13 15:05 -------- d-----w- c:\documents and settings\Administrator

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-19 22:39 . 2008-02-01 19:21 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-10-19 20:51 . 2010-04-03 16:31 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-01 07:52 . 2010-10-01 07:52 67904 ----a-w- c:\windows\system32\NLSSRV32.EXE
    2010-10-01 07:50 . 2010-06-14 23:02 17728 ----a-w- c:\windows\system32\nitrolocalui.dll
    2010-10-01 07:50 . 2010-06-14 23:02 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll
    2010-09-21 21:52 . 2010-09-21 21:52 36208 ----a-w- c:\documents and settings\Paula\Dscan16.dll
    2010-09-21 21:52 . 2010-09-21 21:52 2855 ----a-w- c:\documents and settings\Paula\Smstub16.pif
    2010-09-21 21:52 . 2010-09-21 21:52 17477 ----a-w- c:\documents and settings\Paula\Smstub16.exe
    2010-09-21 21:52 . 2010-09-21 21:52 585728 ----a-w- c:\documents and settings\Paula\HPAsset.exe
    2010-09-21 21:52 . 2010-09-21 21:52 40960 ----a-w- c:\documents and settings\Paula\hpmonZ.exe
    2010-09-18 17:23 . 2004-08-10 11:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2004-08-10 11:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2004-08-10 11:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2004-08-10 11:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:58 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2004-08-10 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2004-08-10 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-09-01 11:51 . 2004-08-10 11:00 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2004-08-10 11:00 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-31 01:43 . 2009-06-18 13:21 256 ----a-w- c:\documents and settings\Paula\pool.bin
    2010-08-27 08:02 . 2004-08-10 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2004-08-10 11:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:39 . 2004-08-10 11:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-04-15 02:48 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2004-03-01 20:58 . 2004-03-01 20:58 561424 ----a-w- c:\program files\Common Files\dao360.dll
    .

    ------- Sigcheck -------

    [7] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
    [7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe
    [7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe

    c:\windows\System32\spoolsv.exe ... is missing !!
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2010-06-23 1699128]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVHotkey"="nvHotkey.dll" [2006-05-01 73728]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-01 7561216]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
    "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
    "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    2008-06-17 20:12 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bing Bar]
    2010-09-15 22:12 273672 ----a-w- c:\program files\MSN Toolbar\Platform\6.3.2317.0\mswinext.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
    2007-05-14 20:23 1191936 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
    2009-05-21 15:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
    2006-11-13 18:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
    2007-10-08 20:13 1101824 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
    2007-10-08 20:18 995328 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
    2006-09-11 09:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2006-09-11 09:40 218032 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
    2010-05-10 19:12 439568 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2006-05-01 20:46 1519616 ----a-w- c:\windows\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Syncables]
    2010-01-25 13:55 530736 ----a-w- c:\program files\Hewlett-Packard\HP QuickSync\QuickSync.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "usnjsvc"=3 (0x3)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\msiexec.exe"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Adobe\\Photoshop Elements 6.0\\AdobePhotoshopElementsMediaServer.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
    "c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
    "c:\\WINDOWS\\system32\\javaw.exe"=
    "c:\\Program Files\\Hewlett-Packard\\HP QuickSync\\jre\\bin\\javaw.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    "5353:UDP"= 5353:UDP:Java(TM) Platform SE binary
    "8182:TCP"= 8182:TCP:Java(TM) Platform SE binary
    "3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
    "3540:UDP"= 3540:UDP:peer Name Resolution Protocol (PNRP)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)

    R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [10/1/2010 1:52 AM 67904]
    R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCase\OpenCASE Media Agent\MediaAgent.exe [6/19/2007 12:35 PM 597640]
    S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
    S3 AngelUsb;Angel USB MPEG Device;c:\windows\system32\drivers\AngelUsb.sys [10/9/2008 5:37 PM 386560]
    S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2/18/2008 3:14 PM 106624]
    S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2/8/2008 11:00 AM 59648]
    S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [4/10/2010 4:05 PM 266544]
    S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-22 c:\windows\Tasks\ConfigExec.job
    - c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 22:05]

    2010-11-22 c:\windows\Tasks\DataUpload.job
    - c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 22:05]

    2010-11-22 c:\windows\Tasks\User_Feed_Synchronization-{CDC5A832-D7C0-4888-9457-2C57B7600603}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = <local>;127.0.0.1
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
    Trusted Zone: surfright.nl\www
    TCP: {E2B52A10-D3BD-40BD-BFF6-95732E441C4C} = 208.67.222.222,208.67.220.220
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
    DPF: Web-Based Email Tools - hxxp://email09.secureserver.net/Download.CAB
    DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://entrepreneur.centra.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
    DPF: {A7846ED2-9DE6-4E8A-B116-A8ACEBFA7DB1} - hxxp://rms2.invokesolutions.com/events/bin/6.2.0.1452/MILive.cab
    DPF: {A906CBEA-6FAF-43B8-AE2F-857C5A21884C} - hxxps://mediadownloads.walmart.com/mmce/resources/walmartcheck2.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-22 07:43
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1454471165-823518204-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1064)
    c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
    c:\windows\system32\netprovcredman.dll

    - - - - - - - > 'explorer.exe'(1648)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\btncopy.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Intel\Wireless\Bin\S24EvMon.exe
    c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
    c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    c:\windows\eHome\ehRecvr.exe
    c:\windows\eHome\ehSched.exe
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\HPZipm12.exe
    c:\program files\Intel\Wireless\Bin\RegSrvc.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files\Dell Support Center\bin\sprtsvc.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\program files\Intel\Wireless\Bin\WLKeeper.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\windows\system32\SearchIndexer.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    c:\windows\system32\dllhost.exe
    c:\windows\system32\rundll32.exe
    c:\windows\eHome\ehmsas.exe
    .
    **************************************************************************
    .
    Completion time: 2010-11-22 07:48:41 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-11-22 13:48
    ComboFix2.txt 2010-11-20 03:16

    Pre-Run: 16,560,840,704 bytes free
    Post-Run: 16,391,036,928 bytes free

    - - End Of File - - 20F88B91E55E4999FA273BF7B2173075
     
  13. pms1228

    pms1228 TS Rookie Topic Starter

    Security Check Scan log and Hijack This log

    Results of screen317's Security Check version 0.99.6
    Windows XP Service Pack 3
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    OneCare Advisor (Windows Live Toolbar)
    Dr Watson for Microsoft Windows OneCare Live v1.1.1067.14
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    CCleaner
    Java(TM) 6 Update 22
    Adobe Flash Player
    Adobe Reader 9.3.4
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Paula My Documents downloads Virus stuff\SecurityCheck.exe
    Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe
    ````````````````````````````````
    DNS Vulnerability Check:

    GREAT! (Not vulnerable to DNS cache poisoning)

    ``````````End of Log````````````




    Hijack This log
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 7:59:49 AM, on 11/22/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\NLSSRV32.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
    R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
    O2 - BHO: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\6.3.2317.0\npwinext.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: @C:\Program Files\MSN Toolbar\Platform\6.3.2317.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\6.3.2317.0\npwinext.dll
    O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
    O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
    O9 - Extra button: iOpus iMacros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
    O16 - DPF: Web-Based Email Tools - http://email09.secureserver.net/Download.CAB
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} (CentraUpdaterAxCtl Class) - http://entrepreneur.centra.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
    O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
    O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
    O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167758081154
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-6fa626abaa234940.spaces.live.com/PhotoUpload/MsnPUpld.cab
    O16 - DPF: {A7846ED2-9DE6-4E8A-B116-A8ACEBFA7DB1} - http://rms2.invokesolutions.com/events/bin/6.2.0.1452/MILive.cab
    O16 - DPF: {A906CBEA-6FAF-43B8-AE2F-857C5A21884C} (CCheckCtrl Object) - https://mediadownloads.walmart.com/mmce/resources/walmartcheck2.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
    O16 - DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} (Plaxo Auto-Import Utility) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cab
    O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/TrueInstall.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E2B52A10-D3BD-40BD-BFF6-95732E441C4C}: NameServer = 208.67.222.222,208.67.220.220
    O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe (file missing)
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: DellAMBrokerService - Unknown owner - C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LiveUpdate - Unknown owner - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE (file missing)
    O23 - Service: NLS Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\NLSSRV32.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Microsoft Office Diagnostics Service (odserv) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (file missing)
    O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    --
    End of file - 14161 bytes
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Is there some reason you are now logging on to GoToAssist? Looks like you installed in 2008- possibly for online remote help. The is an entry loading from The Registry:
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    And also by a Service:
    2008-06-17 20:12 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

    I can remove these with script if you're not using this.

    Also, have you or the Administrator intentionally opened the following ports?
     
  15. pms1228

    pms1228 TS Rookie Topic Starter

    Go To Assist and open ports

    Hello
    I had probably used Go To Assist when I needed some assistance from Dell on my computer to diagnose a hardware problem. I do not use that.
    Also I have not intentionally opened any additional ports. May have been done by Go To Assist (?) so I am clueless as to why they may be set that way.
    Paula
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- lost the thread!

    Please run this Custom CFScript"

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it: Be sure to scroll down and include everything in the code box.
    Code:
    File::
    Folder::
    c:\documents and settings\All Users\Application Data\Hitman Pro
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Icmp Settings]
    "AllowInboundEchoRequest"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "usnjsvc"
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
    "3389:TCP"=-
    "5353:UDP"=-
    "8182:TCP"=-
    "3587:TCP"=-
    "3540:UDP"=-
    
    FCopy::
    c:\windows\system32\dllcache\spoolsv.exe | c:\windows\System32\spoolsv.exe
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Tell me please if you have the Chinese language on the system. And what are these tasks scheduled for? Did the Microsoft Fix it Center assist you with a problem? Are you needing to have these processes updated regularly?

    2010-11-22 c:\windows\Tasks\ConfigExec.job
    - c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 22:05]

    2010-11-22 c:\windows\Tasks\DataUpload.job
    - c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 22:05]
    =============================================
    I notice you have CCleaner set to auto start on boot. Please disable that while I'm helping you.

    I took a quick look at the HJT log. You have too many o16 entries> those are for Active X Objects. Do you have a lot of add-on? This can be a big vulnerability!

    Also see too many Services running. (023) Have you ever customized the setting for them> I'd like you to visit Black Viper's site here http://www.blackviper.com/WinXP/servicecfg.htm In my opinion, there is no better source on the internet for knowing how to set the Services. Some must be on Automatic, meaning they need to start on boot. Many can be set to Manual to start when needed. And some can be Disabled because the can be a vulnerability.

    Take you time with the Services. Be sure to check the Dependency> it's all there> scroll down to his chart.
     
  17. pms1228

    pms1228 TS Rookie Topic Starter

    12/3 Combofix log
    ComboFix 10-12-03.01 - Paula 12/03/2010 16:38:40.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.549 [GMT -6:00]
    Running from: c:\documents and settings\Paula\My Documents\downloads\Virus stuff\ComboFix.exe
    Command switches used :: c:\documents and settings\Paula\My Documents\downloads\Virus stuff\CFScript.txt
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\Hitman Pro
    c:\documents and settings\All Users\Application Data\Hitman Pro\Banner.bin

    .
    --------------- FCopy ---------------

    c:\windows\system32\dllcache\spoolsv.exe --> c:\windows\System32\spoolsv.exe
    .
    ((((((((((((((((((((((((( Files Created from 2010-11-03 to 2010-12-03 )))))))))))))))))))))))))))))))
    .

    2010-12-03 22:38 . 2010-08-17 13:17 58880 -c--a-w- c:\windows\system32\dllcache\spoolsv.exe
    2010-12-03 22:38 . 2010-08-17 13:17 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-11-22 13:59 . 2010-11-22 13:59 388096 ----a-r- c:\documents and settings\Paula\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-11-22 13:59 . 2010-11-22 13:59 -------- d-----w- c:\program files\Trend Micro
    2010-11-22 13:24 . 2010-11-22 13:24 -------- d-----w- c:\documents and settings\Paula\Application Data\AVG10
    2010-11-22 13:20 . 2010-11-22 13:20 -------- d-----w- c:\program files\AVG
    2010-11-19 22:39 . 2010-11-19 22:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-19 00:02 . 2010-11-19 00:02 -------- d-----w- c:\documents and settings\Paula\Application Data\Malwarebytes
    2010-11-19 00:02 . 2010-11-19 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-11-18 22:16 . 2010-11-18 22:16 -------- d-----w- C:\$AVG
    2010-11-18 21:50 . 2010-11-22 13:26 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
    2010-11-18 21:37 . 2010-11-18 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2010-11-17 18:15 . 2010-11-19 21:27 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2010-11-16 17:25 . 2010-11-16 17:25 -------- d-----w- c:\documents and settings\Paula\Local Settings\Application Data\Dell
    2010-11-13 14:34 . 2010-11-13 15:05 -------- d-----w- c:\documents and settings\Administrator

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-19 22:39 . 2008-02-01 19:21 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-10-19 20:51 . 2010-04-03 16:31 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-01 07:52 . 2010-10-01 07:52 67904 ----a-w- c:\windows\system32\NLSSRV32.EXE
    2010-10-01 07:50 . 2010-06-14 23:02 17728 ----a-w- c:\windows\system32\nitrolocalui.dll
    2010-10-01 07:50 . 2010-06-14 23:02 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll
    2010-09-21 21:52 . 2010-09-21 21:52 36208 ----a-w- c:\documents and settings\Paula\Dscan16.dll
    2010-09-21 21:52 . 2010-09-21 21:52 2855 ----a-w- c:\documents and settings\Paula\Smstub16.pif
    2010-09-21 21:52 . 2010-09-21 21:52 17477 ----a-w- c:\documents and settings\Paula\Smstub16.exe
    2010-09-21 21:52 . 2010-09-21 21:52 585728 ----a-w- c:\documents and settings\Paula\HPAsset.exe
    2010-09-21 21:52 . 2010-09-21 21:52 40960 ----a-w- c:\documents and settings\Paula\hpmonZ.exe
    2010-09-18 17:23 . 2004-08-10 11:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2004-08-10 11:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2004-08-10 11:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2004-08-10 11:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:58 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2004-08-10 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2004-08-10 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2004-03-01 20:58 . 2004-03-01 20:58 561424 ----a-w- c:\program files\Common Files\dao360.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-11-20_03.14.42 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-12-03 22:21 . 2010-12-03 22:21 16384 c:\windows\temp\Perflib_Perfdata_2d4.dat
    + 2010-11-20 03:36 . 2010-11-20 03:36 301056 c:\windows\Installer\223bff.msi
    + 2010-11-22 13:57 . 2010-11-22 13:57 1094656 c:\windows\Installer\4e52f.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVHotkey"="nvHotkey.dll" [2006-05-01 73728]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-01 7561216]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
    "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
    "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    2008-06-17 20:12 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bing Bar]
    2010-09-15 22:12 273672 ----a-w- c:\program files\MSN Toolbar\Platform\6.3.2317.0\mswinext.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
    2010-06-23 21:07 1699128 ----a-w- c:\program files\CCleaner\CCleaner.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
    2007-05-14 20:23 1191936 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
    2009-05-21 15:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
    2006-11-13 18:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
    2007-10-08 20:13 1101824 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
    2007-10-08 20:18 995328 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
    2006-09-11 09:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2006-09-11 09:40 218032 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
    2010-05-10 19:12 439568 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2006-05-01 20:46 1519616 ----a-w- c:\windows\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Syncables]
    2010-01-25 13:55 530736 ----a-w- c:\program files\Hewlett-Packard\HP QuickSync\QuickSync.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "usnjsvc"=3 (0x3)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\msiexec.exe"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Adobe\\Photoshop Elements 6.0\\AdobePhotoshopElementsMediaServer.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
    "c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
    "c:\\WINDOWS\\system32\\javaw.exe"=
    "c:\\Program Files\\Hewlett-Packard\\HP QuickSync\\jre\\bin\\javaw.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    "5353:UDP"= 5353:UDP:Java(TM) Platform SE binary
    "8182:TCP"= 8182:TCP:Java(TM) Platform SE binary
    "3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
    "3540:UDP"= 3540:UDP:peer Name Resolution Protocol (PNRP)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)

    R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [10/1/2010 1:52 AM 67904]
    R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCase\OpenCASE Media Agent\MediaAgent.exe [6/19/2007 12:35 PM 597640]
    R3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [4/10/2010 4:05 PM 266544]
    S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
    S3 AngelUsb;Angel USB MPEG Device;c:\windows\system32\drivers\AngelUsb.sys [10/9/2008 5:37 PM 386560]
    S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2/18/2008 3:14 PM 106624]
    S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2/8/2008 11:00 AM 59648]
    S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-03 c:\windows\Tasks\ConfigExec.job
    - c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 22:05]

    2010-12-03 c:\windows\Tasks\DataUpload.job
    - c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 22:05]

    2010-12-03 c:\windows\Tasks\User_Feed_Synchronization-{CDC5A832-D7C0-4888-9457-2C57B7600603}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = <local>;127.0.0.1
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
    Trusted Zone: surfright.nl\www
    TCP: {E2B52A10-D3BD-40BD-BFF6-95732E441C4C} = 208.67.222.222,208.67.220.220
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
    DPF: Web-Based Email Tools - hxxp://email09.secureserver.net/Download.CAB
    DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://entrepreneur.centra.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
    DPF: {A7846ED2-9DE6-4E8A-B116-A8ACEBFA7DB1} - hxxp://rms2.invokesolutions.com/events/bin/6.2.0.1452/MILive.cab
    DPF: {A906CBEA-6FAF-43B8-AE2F-857C5A21884C} - hxxps://mediadownloads.walmart.com/mmce/resources/walmartcheck2.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-03 16:43
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1454471165-823518204-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1060)
    c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
    c:\windows\system32\netprovcredman.dll
    .
    Completion time: 2010-12-03 16:47:14
    ComboFix-quarantined-files.txt 2010-12-03 22:47
    ComboFix2.txt 2010-11-22 13:48
    ComboFix3.txt 2010-11-20 03:16

    Pre-Run: 16,301,084,672 bytes free
    Post-Run: 16,277,889,024 bytes free

    - - End Of File - - 6CB2E44B59F213EAD3197BA734844E9A


    Sorry for the delay in responding. I have been out of town and left my computer at home.

    No, to the best of my knowledge I do not have Chinese language installed.

    Yes, Microsoft Fix It did do some problem resolution for me but I don't know what the tasks are. I can remove those.

    I have disabled CCleaner.

    I do have 23 add-ons but only 4 are enabled.

    I will start working on the services
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Did you run all of the script I had in Reply #16? There is no change in the ports.

    Please reopen HijackThis to 'do system scan only.' Check each of the following if present:

    R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe (file missing)
    O23 - Service: LiveUpdate - Unknown owner - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE (file missing)


    Close all Windows except HijackThis and click on "Fix Checked."
    =================================
    There are 2 Symantec Services remaining. We will delete each: Follow these steps.
    1. Start> Run> CMD> enter>
      [​IMG]
    2. Type teach of the following in the CMD line and press Enter after each:
      Code:
      [B]sc delete Automatic LiveUpdate Scheduler
      sc delete LiveUpdate[/B]
      
    3. If the deletion was successful, you'll see the following response.
      [SC] DeleteService SUCCESS
    4. Type Exit to close the command prompt

    Do any of the original problems remain? If not, you can remove the clenaing tools:
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    LEt me know if you have any questions.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...