Solved Iexplore running in background, website redirection

[DonD]

Hello,

I really need your help! I have a virus or malware of some sort on my system that I cannot get rid of and was wondering if you could help me remove it? Or direct me to a proper forum for some help?

I was on Southwest Airlines web site (www.southwest.com) last Friday when my system slowed down and I noticed Java loading in the system tray, which I don't recall seeing when on this site in the past. Then internet explorer was shutdown. I then noticed that the Task Manager buttons were disabled so I could not start the task manager. Every time I reboot my computer now there is an iexplore.exe process running in the background. If I kill it it will restart after a minute or two. In addition, when I try to go to different web sites, internet explorer will randomly redirect me to other sites. It will also pop up ads occassionally. This iexplore.exe background process will normally continue to eat up memory until it finally causes it to crash.

At one point after rebooting, only a few of my services would start? After doing some investigating I realized that the SVCHOST.EXE program was deleted. I restored it from another computer and then they started fine. This hasn't happened again.

I occassionally notice that winword.exe is also running in the background after rebooting, even though Word and Outlook are not running. However, this happens much less frequently than iexplore.exe showing up in the background.

Not sure if this is of any help or not, but a file was created in c:\windows\system32 when I noticed this stuff happening called d3d9caps.dat.

If I boot under Safe Mode, iexplore does not show up in the background. However, if I boot up inder Safe Mode with Networking, then it does launch in the background. So this eliminates a lot of the various programs that get launched at boot time from being the culprit since it happens when booting into Safe Mode with Networking.

The program Process Explorer shows that iexplore.exe (when running in the background) is being launched by Explorer.exe. If I kill the Explorer.exe process, then iexplore.exe does not get launched in the background, which confirms it is being launched by Explorer.exe. One thing I noticed is that after killing the Explorer.exe process, it does not get restarted automatically, which I seem to remember it doing in the past? The malware may be doing this to prevent it from being killed by simply restarting Explorer.exe?

I am running Windows XP Pro (Service Pack 3)
For anti-virus software I am running Symantec Endpoint Protection Version 11.


Here is a list of the services that are running under Safe Mode with Networking and not under Safe Mode:

Computer Browser
DHCP Client
DNS Client
Messenger
Net Logon
Network Connections
Server
TCP/IP Net Bios Helper
Terminal Services
Windows Firewall/Internet Connection Sharing (ICS)
Wireless Zero Configuration
Workstation

I disabled all of these services a few at a time and the only one that made a difference was the DHCP Client.

If I disable the DHCP Client service then iexplore does not get launched in the background. As soon as I enable DHCP Client then it gets launched. Not sure if my DHCP Client service got hijacked or if the malware does not try to do anything if an internet connection cannot be established?

I installed Malwarebytes and ran the various scans.
Here is the Malwarebytes Quick Scan log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8092

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/5/2011 1:51:12 PM
mbam-log-2011-11-05 (13-51-12).txt

Scan type: Quick scan
Objects scanned: 301177
Time elapsed: 14 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cl.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Temp\mgkpyeoriquvgj.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


Here is the Malwarebytes Flash Scan log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8092

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/5/2011 2:04:26 PM
mbam-log-2011-11-05 (14-04-26).txt

Scan type: Flash scan
Objects scanned: 246983
Time elapsed: 2 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Here is the Malwarebytes Full Scan log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8092

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/5/2011 3:50:42 PM
mbam-log-2011-11-05 (15-50-42).txt

Scan type: Full scan (C:\|)
Objects scanned: 419013
Time elapsed: 1 hour(s), 41 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{b5900582-1901-4f7e-bafe-8feb08721d95}\RP2722\A0477191.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


Here is the latest Malwarebytes Protection log:

01:47:35 don MESSAGE Scheduled update executed successfully
01:47:36 don MESSAGE IP Protection stopped
01:48:48 don MESSAGE Database updated successfully
01:48:52 don MESSAGE IP Protection started successfully
07:56:52 don IP-BLOCK 64.120.141.165 (Type: outgoing)
07:56:55 don IP-BLOCK 64.120.141.165 (Type: outgoing)
07:57:01 don IP-BLOCK 64.120.141.165 (Type: outgoing)
07:58:49 don IP-BLOCK 64.120.141.165 (Type: outgoing)
07:58:52 don IP-BLOCK 64.120.141.165 (Type: outgoing)
07:58:58 don IP-BLOCK 64.120.141.165 (Type: outgoing)
08:00:48 don IP-BLOCK 64.120.141.165 (Type: outgoing)
08:00:51 don IP-BLOCK 64.120.141.165 (Type: outgoing)
08:00:57 don IP-BLOCK 64.120.141.165 (Type: outgoing)
08:10:14 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:10:17 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:10:23 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:10:34 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:10:37 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:10:43 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:10:55 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:10:58 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:11:04 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:12:12 don IP-BLOCK 208.73.210.29 (Type: outgoing)
08:12:15 don IP-BLOCK 208.73.210.29 (Type: outgoing)
08:12:21 don IP-BLOCK 208.73.210.29 (Type: outgoing)
08:12:32 don IP-BLOCK 208.73.210.29 (Type: outgoing)
08:12:35 don IP-BLOCK 208.73.210.29 (Type: outgoing)
08:12:41 don IP-BLOCK 208.73.210.29 (Type: outgoing)
08:34:24 don MESSAGE Protection started successfully
08:34:43 don MESSAGE IP Protection started successfully
08:48:22 don IP-BLOCK 206.161.121.100 (Type: outgoing)
08:48:25 don IP-BLOCK 206.161.121.100 (Type: outgoing)
09:08:05 don MESSAGE Protection started successfully
09:08:14 don MESSAGE IP Protection started successfully
09:20:06 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:20:09 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:20:15 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:22:05 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:22:08 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:22:14 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:24:05 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:24:08 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:24:14 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:33:34 don MESSAGE Protection started successfully
09:33:38 don MESSAGE IP Protection started successfully

After having Malwarebytes correct the errors it found, I still have the same problem with iexplore.exe getting launched in the background.


Here is the HijackThis log file:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:14:47 PM, on 11/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
C:\Program Files\Expertcity\GoToMyPC\g2pre.exe
C:\WINDOWS\SYSTEM32\k9nt.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Temp\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - Trusted Zone: http://www.powerball.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {02E09B2E-2A03-4572-9291-69900C068564} (LCSim Control) - http://www.learnitcorp.com/cabs/lcsim.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://srv1/ConnectComputer/nshelp.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/20efd968ff9dfa15b416/netzip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250176051031
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX.cab?9,0,712,0
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc3.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
O16 - DPF: {A6B13EE4-A974-11D2-8DB7-00C04FB6E8F6} - http://www.splashspot.com/ssviewer2/2.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = datalink.lan
O17 - HKLM\Software\..\Telephony: DomainName = datalink.lan
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = datalink.lan
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: K9 Time Synchronization (K9) - H.C. Mingham-Smith - C:\WINDOWS\SYSTEM32\k9nt.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Symantec Auto-upgrade Agent (Smcinst) - Unknown owner - C:\Program Files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe (file missing)
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 11597 bytes

I tried to run GMER.exe and got the following error:
LoadDriver("C:\Temp\pxtdapow.sys") error 0xC000010E: Cannot create a stable subkey under a volatile parent key.

After clicking OK, the program came up and seemed to be OK.

Here is the GMER.EXE log file:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-08 10:30:02
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\TEMP\pxtdapow.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{5C082286-DD56-6B96-110FABAC317C22E3}\{17077DA0-F2D9-EF48-DBC13F521337D931}\{A783887F-564D-BBBA-662193019693FEBC}
Reg HKLM\SOFTWARE\Classes\CLSID\{5C082286-DD56-6B96-110FABAC317C22E3}\{17077DA0-F2D9-EF48-DBC13F521337D931}\{A783887F-564D-BBBA-662193019693FEBC}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{D19C1E37-C88F-6D4D-695F1151D26FA9B0}\{82ADB184-4273-F4A9-8B3869F4D9D9F30C}\{3C71EBCF-572C-11DA-DA6A44EB5C52EFBA}
Reg HKLM\SOFTWARE\Classes\CLSID\{D19C1E37-C88F-6D4D-695F1151D26FA9B0}\{82ADB184-4273-F4A9-8B3869F4D9D9F30C}\{3C71EBCF-572C-11DA-DA6A44EB5C52EFBA}@NRDFOBLVNAUE2QOGEQXAH1Y2DD1 0x01 0x00 0x01 0x00 ...

---- EOF - GMER 1.0.15 ----


I have been unable to find the hook this virus/malware has into Explorer. Please let me know if there is anything else I can provide for you to help me eliminate this virus or malware! Thank you so much for any help you could provide me.

Don

 

[Broni]

Welcome aboard

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

======================================================================

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

...means I still need DDS logs.

 

[DonD]

dds.scr hung

Hi,

Thank you so much for responding to my post.

I tried running the ddr.scr script and it keeps locking up the system. It probably ran about 5 minutes before locking up. I let it continue to try and run for about 15 minutes before giving up and turning the power off. I disabled Symantec Endpoint Protection as well as Malwarebytes Anti-Malware before running it. I also disabled the DHCP Client service since that prevents iexplore.exe from getting launched in the background and doing it's nasty things.

The command window shows pound signs as follows:

Post the contents of the logfile to the forum where it was requested

##################################################

The only other window I had up was task manager so I could see what was going on. Task manager shows MBR.DAT process as running when it seems to hang up the system. The keyboard is unable to do anything outside of the Task Manager window, including CTRL-ALT-DEL and the Window key. The clock in the system tray even quit getting updated. Task manager showed the CPU Usage at 0%, but the task manager window would occassionally update itself and flicker. Please let me know how I should proceed?

Thanks,

Don

 

[Broni]

Download TDSSKiller and save it to your desktop.

• Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
• If an infected file is detected, the default action will be Cure, click on Continue.
• If a suspicious file is detected, the default action will be Skip, click on Continue.
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
• If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

 

[DonD]

TDSSKiller.exe did nothing!

Hi,

I downloaded TDSSKiller.exe and tried to run it and nothing happened, other than Windows giving me the Open File Security Warning asking if I wanted to run the file? I clicked on OK and it did nothing.

So, I tried to run it from a command prompt and had Task Manager up so I could see if it did anything. The command prompt just came back to another prompt, and Task Manager showed the number of processes as never changing, like it never started?

What should I try next?

Thanks,

Don

 

[Broni]

Try Safe Mode.
If still nothing....

Download the FixTDSS.exe

Save the file to your Windows desktop.
Close all running programs.
If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
Double-click the FixTDSS.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer when prompted by the tool.
After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
If you are running Windows XP, re-enable System Restore.

 

[DonD]

Getting BSOD 0x7B now

Hi,

I tried running the TDSSKiller.exe under safe mode, but got the same results. I also tried downloading it from another "good" system and copying it to the infected system and renamed it to don.com, as well as don.exe, and still had the same results of it not doing anything.

I then downloaded FixTDSS.exe, disabled System Restore, closed all running programs and ran it. It then asked me to restart my system and when it boots now I get a BSOD stop error 0x7B, both in Normal mode and in Safe mode!

So now my system is unbootable.

What now???

Thanks,

Don

 

[Broni]

1. Insert your Windows XP CD into your CD and assure that your CD-ROM drive is capable of booting the CD.
2. Once you have booted from CD, do NOT select the option that states: Press F2 to initiate the Automated System Recovery (ASR) tool.
You’re going to proceed until you see the following screen, at which point you will press the “R” key to enter the recovery console:

3. After you have selected the appropriate option from step two, you will be prompted to select a valid Windows installation (typically number 1).
Select the installation number, and hit Enter.
If there is an administrator password for the administrator account, enter it and hit Enter (if asked for the password, and you don't know it, you're out of luck).
You will be greeted with this screen, which indicates a recovery console at the ready:

4. Type with an Enter after each line:

fixmbr

(If it asks you if you are sure then say "Y".)

fixboot

exit

5. Reboot computer.

====================================================================

If you don't have Windows CD...
Download Windows Recovery Console: http://www.thecomputerparamedic.com/files/rc.iso
Download, and install free Imgburn: http://www.imgburn.com/index.php?act=download
Using Imgburn, burn rc.iso to a CD.
Boot to the CD...let it finish loading.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

 

[DonD]

Hi,

I booted from my Windows XP CD and for some reason it does not recognize my Administrator password? I normally do not log on under the Adminstrator account, I normally log on under my own account which has Administrator rights though.

I did have another copy of Windows installed under c:\windowst (Temproray Windows) that I needed to resolve a problem several years ago. So, when the CD boot asked me which version I wanted to boot under I told it to use this temporary version (Option 2). This copy accepted my Administrator password without a problem. So I ran FIXMBR and FIXBOOT under this temporary version. Apparently that wasn't a good idea. I noticed that when FIXBOOT ran it said it was working with drive F:, which I thought was strange, but I went ahead anyway. When it boots now I get an error saying NTLDR is missing.

Is there a way I can boot from the CD and select my main Windows installation (Option 1) and tell it to use my normal User ID and password (which has Admin rights)? When I was asked for the Administrator password I tried entering <User ID>\<Password>, but that didn't work.

Can I try to boot from the hard drive and use the Last known good configuration?

Sorry, I hope I didn't mess things up too bad!

Don

 

[Broni]

Go ahead and try "Last known..."

If that doesn't work I suggest repair installation: http://www.geekstogo.com/forum/topic/138-how-to-repair-windows-xp/

 

[DonD]

Hi,

I was unable to try the "Last known..." option because the boot process never gets that far. I get the "NTLDR is Missing" error first. So, I booted from the Windows XP CD and logged in under the temporary installation of Windows that I had installed a long time ago, since my password still works with that version. I copied NTLDR and NTDETECT.COM from the CD from the i386 folder to c:\. Drive c:\ already had them there, but they were different sizes. I then tried to boot from the hard drive and I still get the "NTLDR is Missing" error? I then rebooted and pressed the F12 key to load up the boot options menu. I selected the option to boot the Utility Partition and it came up fine. This is a partition that came preloaded from Dell.

I then booted from the CD again into the recovery console and the boot.ini file contains:

[boot loader]
timeout=5
default=multi(0)disk(0)rdisk(0)partition(2)
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\Windows="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(2)\Windowst="Microsoft Windows XP Professional (Temporary)" /fastdetect

The output from the recovery console "map" command is:

? FAT16 62MB \Device\Harddisk0\Partition1
C: NTFS 76222MB \Device\Harddisk0\Partition2
E: 8MB \Device\Harddisk0\Partition3
A: \Device\Floppy0
D: \Device\CdRom0


The FAT16 partition1 came preloaded on my system by Dell as a Utility partition.
I have no idea what partition3 is (Drive E? I've never noticed it before. Not sure if the virus created it or what? If I do a "Dir e:" I get the error "An error occured during directory enumeration."

I was able to run FIXBOOT C: without a problem.

I was able to run FIXMBR C: without a problem. However, if I try to run "FIXMBR \Device\Harddisk0\Partition2" I get a warning about it detecting an invalid or non-standard partition table signature? I would think it would be the same device?

I also checked the BIOS and it seems to be detecting the hard disk properly.

My question is, since NTLDR is present on c:\, it seems that it must be trying to boot from another partition? Do you think that might be the problem? If so, what change do I need to make to get it to boot from partition2? What would you suggest I try next? I know you suggested I try the repair installation option. But I just want to be sure that it will not replace my registry with a new one. I don't want to have to re-install all of my programs in order to re-build the entries in the registry.

Thanks,

Don

 

[DonD]

Just a quick note regarding the unknown Partition3 I mentioned in the last post. I ran DISKPART from the recovery console and its description for partition 3 is "Inactive (OS/2 Boot man". It gets truncated after that. I have no idea what this is or how it got there. Not that it necessarily matters, but just thought I'd mention it.

Don

 

[Broni]

Remove this line from boot.ini:
multi(0)disk(0)rdisk(0)partition(2)\Windowst="Microsoft Windows XP Professional (Temporary)" /fastdetect
This way your other installation won't interfere in booting process.

 

[DonD]

Hi,

I rebuilt the boot.ini file using the recovery console "bootcfg /rebuild" option. I rebooted and still got the "NTLDR is Missing" error. I then created a new boot.ini file on another system and only included my temporary Windows installation (since that's the only one that has a working Adminstrator account password) and copied it over from a floppy drive. I rebooted and still got the "NTLDR is Missing" error.

A couple of things I noticed that seem odd are:

1. When I run fixboot with no options, it says the target partition is E:? That's the weird partition that I don't know where it came from or what it is? That makes me think that it's trying to boot from that partition, rather than my C: Drive partition.

2. When I run fixmbr \device\harddisk0, I get the warning about it detecting an invalid or non-standard partition table signature. If I let it run and try to run it again, I get the same error? Like it can't create a good one itself? However, if I run "fixmbr c:" it runs without any warnings or errors. Again, this kind of makes me think it's looking at partition3, rather than partition2.

How can I tell which partition it's looking at, or how can I get it to look at partition2? I'm thinking of using diskpart in recovery console to delete partition3. What would you suggest?

Thanks,

Don

 

[Broni]

"invalid or non-standard partition table signature" may indicate problem with the drive itself.

Run hard drive diagnostics: http://www.tacktech.com/display.cfm?ttid=287 (or http://www.bleepingcomputer.com/forums/index.php?showtopic=28744&hl=hard+drive+diagnostic)
Make sure, you select tool, which is appropriate for the brand of your hard drive.
Depending on the program, it'll create bootable floppy, or bootable CD.
If downloaded file is of .iso type, use ImgBurn: http://www.imgburn.com/ to burn .iso file to a CD (select "Write image file to disc" option), to make the CD bootable.
For Toshiba hard drives, see here: http://sdd.toshiba.com/main.aspx?Pa...rivesUSandCanada/SoftwareUtilities#diagnostic

Note : If you do not know how to set your computer to boot from CD follow the steps HERE

 

[DonD]

Hi,

I ran some hard drive diagnostics and it ran clean. I don't think that's the problem. I think the problem is that the active partition is set to partition3, rather than partition2. That's why the fixboot command is defaulting to my Drive E:.

I'm having a problem finding out how to check/change the active partition when you can't boot Windows. Can you tell me how to do that? The "diskpart" command in the recovery console does not permit you to change the active partition.

Thanks,

Don

 

[Broni]

I'm not really a hardware person but take a look here: http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q315261

 

[DonD]

I have GREAT news! I was able to fix the "NTLDR is Missing" error, as well as the BSOD 7B error!

I created a Windows XP boot floppy disk and a boot.ini file to match my system and boot into my normal Windows partition. I then told it to use the Last Known Good Configuration and it booted fine!. I then used Disk Manager to check my partitions, and as I suspected that new unknown partition had been changed to be the active partition, rather than my drive C partition. So I changed my drive C back to be the active partition and I deleted the unknown partition. I then logged off and tried logging in under the Administrator account to see if it knew my actual password, and it did! For whatever reason the repair console didn't recognize it?

When I logged in the first time I got an error from TDSSKiller saying "Tool failure. Tool must be first run without -postboot". So I booted into Safe Mode and ran TDSSKiller. It told me to reboot, which I did. When I logged on the TDSSKiller scan began. It ended and said "Backdoor.Tidserv has not been found on your computer".

Since I got Windows to reboot, I have not noticed iexplore processes running in the background. So, I'm not sure if the virus is still lurking out there or not???

So, what should I do next (if anything)?

Thanks,

Don

 

[Broni]

Great news!

Your main culprit was infected MBR, so you should be fine there.

I suggest we run some further checks.

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

 

[DonD]

Hi,

Here's the logs you requested. The only thing I've noticed as odd, since fixing the MBR problem, is when I launch Outlook a winword.exe process is started in the background. I don't recall seeing that happen until I create/open an E-mail normally. I have not noticed iexplore.exe launching in the background anymore.

Here are the results of the Malwarebytes Quick Scan:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8138

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/11/2011 8:46:43 AM
mbam-log-2011-11-11 (08-46-43).txt

Scan type: Quick scan
Objects scanned: 298208
Time elapsed: 15 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Here are the results from GMER:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-11 10:39:06
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e Maxtor_6Y080M0 rev.YAR51HW0
Running: gmer.exe; Driver: C:\TEMP\pxtdapow.sys

---- System - GMER 1.0.15 ----

SSDT 86E88538 ZwAlertResumeThread
SSDT 86E88A78 ZwAlertThread
SSDT 86CCDC10 ZwAllocateVirtualMemory
SSDT 86F469A0 ZwConnectPort
SSDT 86F4A4A0 ZwCreateMutant
SSDT 86E834C8 ZwCreateThread
SSDT 86CEFD98 ZwFreeVirtualMemory
SSDT 86E87D28 ZwImpersonateAnonymousToken
SSDT 86E88460 ZwImpersonateThread
SSDT 86E84548 ZwMapViewOfSection
SSDT 86E87C50 ZwOpenEvent
SSDT 872E3560 ZwOpenProcessToken
SSDT 872C85B8 ZwOpenThreadToken
SSDT 86E21C68 ZwResumeThread
SSDT 872D80C8 ZwSetContextThread
SSDT 872C6930 ZwSetInformationProcess
SSDT 872C2A30 ZwSetInformationThread
SSDT 86E817C0 ZwSuspendProcess
SSDT 86E8AD50 ZwSuspendThread
SSDT 872DF5C8 ZwTerminateProcess
SSDT 86E89920 ZwTerminateThread
SSDT 86EB00B8 ZwUnmapViewOfSection
SSDT 86D5FD98 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 7C 804DB6E8 8 Bytes [38, 85, E8, 86, 78, 8A, E8, ...]
.text ntoskrnl.exe!_abnormal_termination + 440 804DBAAC 8 Bytes [C0, 17, E8, 86, 50, AD, E8, ...]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF6A9EF80]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs nlem32nt.sys
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)
Device BA79FD20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice nlem32nt.sys

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{5C082286-DD56-6B96-110FABAC317C22E3}\{17077DA0-F2D9-EF48-DBC13F521337D931}\{A783887F-564D-BBBA-662193019693FEBC}
Reg HKLM\SOFTWARE\Classes\CLSID\{5C082286-DD56-6B96-110FABAC317C22E3}\{17077DA0-F2D9-EF48-DBC13F521337D931}\{A783887F-564D-BBBA-662193019693FEBC}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{D19C1E37-C88F-6D4D-695F1151D26FA9B0}\{82ADB184-4273-F4A9-8B3869F4D9D9F30C}\{3C71EBCF-572C-11DA-DA6A44EB5C52EFBA}
Reg HKLM\SOFTWARE\Classes\CLSID\{D19C1E37-C88F-6D4D-695F1151D26FA9B0}\{82ADB184-4273-F4A9-8B3869F4D9D9F30C}\{3C71EBCF-572C-11DA-DA6A44EB5C52EFBA}@NRDFOBLVNAUE2QOGEQXAH1Y2DD1 0x01 0x00 0x01 0x00 ...

---- EOF - GMER 1.0.15 ----

Here are the DDS.SCR DDS.TXT results:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by don at 10:41:13 on 2011-11-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.294 [GMT -6:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
C:\WINDOWS\SYSTEM32\k9nt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Expertcity\GoToMyPC\g2pre.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://smbusiness.dellnet.com/
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [QD FastAndSafe] c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe
mRun: [POINTER] "c:\program files\microsoft hardware\mouse\point32.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
uPolicies-explorer: <NO NAME> =
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
uPolicies-explorer: NoStrCmpLogical = 01000000
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: microsoft.com\office
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {02E09B2E-2A03-4572-9291-69900C068564} - hxxp://www.learnitcorp.com/cabs/lcsim.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} - hxxp://www.pestscan.com/scanner/axscanner.cab
DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} - hxxps://support.microsoft.com/OAS/ActiveX/odc.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} - hxxp://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://srv1/ConnectComputer/nshelp.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - hxxps://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://207.188.7.150/20efd968ff9dfa15b416/netzip/RdxIE601.cab
DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} - hxxp://office.microsoft.com/productupdates/content/opuc.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250176051031
DPF: {72770C4F-967D-4517-982B-92D6B9015649} - hxxp://photos.msn.com/resources/neutral/controls/DigWebX.cab?9,0,712,0
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - hxxp://toolbar.google.com/data/GoogleActivate.cab
DPF: {94B82441-A413-4E43-8422-D49930E69764} - hxxps://rtc3.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37602.2634837963
DPF: {A6B13EE4-A974-11D2-8DB7-00C04FB6E8F6} - hxxp://www.splashspot.com/ssviewer2/2.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: GoToMyPC - c:\program files\expertcity\gotomypc\G2WinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = :\windows\system32\srrstr.dll cecli scecli scecli
.
============= SERVICES / DRIVERS ===============
.
R0 nlem32nt;nlem32nt;c:\windows\system32\drivers\nlem32nt.sys [2011-10-20 70024]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2002-4-17 4064]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
R2 K9;K9 Time Synchronization;c:\windows\system32\k9nt.exe [2002-3-28 57856]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-5 366152]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-9-17 2477304]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-10 106104]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-5 22216]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20111110.035\NAVENG.SYS [2011-11-11 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20111110.035\NAVEX15.SYS [2011-11-11 1576312]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-5 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-5 136176]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2004-10-29 32000]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe --> c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 vsdatant;vsdatant;a --> a [?]
.
=============== File Associations ===============
.
.txt=UltraEdit.txt
.
=============== Created Last 30 ================
.
2011-11-11 14:01:09 709968 ----a-w- c:\windows\isRS-000.tmp
2011-11-05 18:26:56 -------- d-----w- c:\documents and settings\don devoto\application data\Malwarebytes
2011-11-05 18:26:46 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-05 18:26:42 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-05 18:26:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-05 17:50:50 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-11-05 17:50:50 -------- d-----w- c:\windows\system32\wbem\Repository
2011-11-04 21:33:49 -------- d-----w- C:\tmp
2011-11-04 16:47:33 -------- d-----w- c:\windows\tmp
2011-11-01 15:43:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-11-01 15:43:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-11-01 15:43:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-11-01 15:43:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-11-01 15:43:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-11-01 15:43:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-11-01 15:43:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-20 14:16:15 70024 ----a-w- c:\windows\system32\drivers\nlem32nt.sys
2011-10-20 14:16:15 55160 ----a-w- c:\windows\system32\nlem32nt.dll
2011-10-20 14:16:15 39288 ----a-w- c:\windows\system32\secbuild.dll
2011-10-20 14:16:15 30072 ----a-w- c:\windows\system32\sectools.dll
2011-10-14 13:24:27 -------- d-----w- c:\program files\iPod
2011-10-14 13:24:00 -------- d-----w- c:\program files\iTunes
2011-10-14 13:16:43 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 04:05:04 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 04:05:04 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
2011-08-22 10:39:52 52080 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\GoToPrintProcessor.dll
2011-08-22 10:39:46 113008 ----a-w- c:\windows\system32\gotomon.dll
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
============= FINISH: 10:41:43.81 ===============

Here are the DDS.SCR ATTACH.TXT results:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 2/18/2002 5:38:56 PM
System Uptime: 11/11/2011 8:22:37 AM (2 hours ago)
.
Motherboard: Dell Inc. | | 0J3492
Processor: Intel(R) Pentium(R) 4 CPU 3.40GHz | Microprocessor | 3391/800mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 74 GiB total, 37.871 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: WAN Miniport (PPTP)
Device ID: ROOT\MS_PPTPMINIPORT\0000
Manufacturer: Microsoft
Name: WAN Miniport (PPTP)
PNP Device ID: ROOT\MS_PPTPMINIPORT\0000
Service: PptpMiniport
.
==== System Restore Points ===================
.
RP1: 11/10/2011 4:59:01 PM - System Checkpoint
RP2: 11/11/2011 8:16:59 AM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Acrobat.com
Adobe Acrobat 8 Standard
Adobe Acrobat 8.1.3 Standard
Adobe AIR
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Image Viewer Plugin 4.0
Adobe PageMaker 6.5
Adobe Photoshop Album
Adobe Reader 9.4.6
Adobe Type Manager 4.0
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Attendance Rx
Backup4all 3
Bonjour
Calculator Powertoy for Windows XP
Canon i850
Cloudmark Desktop for Microsoft Outlook
Compatibility Pack for the 2007 Office system
Data Access Objects (DAO) 3.5
DellTouch
Easy CD Creator 5 Basic
frameworks Canada
Google Earth Plug-in
Google Update Helper
GoToMeeting 4.0.0.320
GoToMyPC
Help and Support Customization
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel Application Accelerator
Internet Explorer Q903235
Ipswitch WS_FTP Professional 2006
iTunes
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 15
LiveUpdate 3.3 (Symantec Corporation)
LSA IRIS
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Access 2000 SR-1 Runtime
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft FrontPage 2000
Microsoft IntelliPoint 4.0
Microsoft Interactive Training
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Office XP Media Content
Microsoft Office XP Small Business
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Visual C++ 5.0
Microsoft Visual FoxPro 5.0
Microsoft Windows Journal Viewer
MobileMe Control Panel
MSVCRT
MSXML 6 Service Pack 2 (KB973686)
NetLib Encryptionizer DE Distribution
NovaXchange for Windows NT
NuMega BoundsChecker 6.5 Visual C++ Edition
NVIDIA Drivers
OGA Notifier 2.0.0048.0
QuarkXPress
QuickTime
QuickTime for Windows (32-bit)
RedTitan EscapeE
Safari
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
Shadow Copy Client
Shockwave
SoundMAX
StuffIt Standard
Symantec Endpoint Protection
Tweak UI
UltraEdit 16.10
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Communications Platform
Windows Live Essentials
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Resource Kit Tools
Windows Resource Kit Tools - SubInAcl.exe
Windows XP Service Pack 3
WinPcap 3.1 beta4
WinSCP 4.3.4
WinZip 11.1
WordPerfect Office 11
.
==== Event Viewer Messages From Past Week ========
.
11/8/2011 7:53:06 AM, error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 1 time(s).
11/8/2011 3:17:27 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the COM+ System Application service, but this action failed with the following error: An instance of the service is already running.
11/7/2011 9:58:45 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ATMhelpr eeCtrl Fips intelppm SPBBCDrv SRTSP SRTSPX SYMTDI
11/7/2011 9:57:22 AM, error: PSched [14105] - QoS [Adapter {A14D5FFA-4DCF-4B75-9FEB-E85075658748}]: The UpperBindings key is missing from the registry.
11/7/2011 10:33:45 AM, error: Service Control Manager [7001] - The Windows Firewall/Internet Connection Sharing (ICS) service depends on the Network Connections service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
11/7/2011 10:33:45 AM, error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
11/7/2011 10:33:32 AM, error: NETLOGON [5719] - No Domain Controller is available for domain datalink due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
11/7/2011 10:00:36 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/5/2011 3:56:35 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the GoToMyPC service.
11/5/2011 3:55:53 PM, error: Service Control Manager [7031] - The COM+ System Application service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
11/5/2011 3:55:46 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: agp440 IdeBusDr IdeChnDr IntelIde
11/5/2011 12:56:41 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
11/5/2011 12:55:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
11/5/2011 12:55:17 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD ATMhelpr eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SPBBCDrv SRTSP SRTSPX SYMTDI Tcpip
11/5/2011 12:55:17 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
11/5/2011 12:55:17 PM, error: Service Control Manager [7001] - The Messenger service depends on the NetBIOS Interface service which failed to start because of the following error: A device attached to the system is not functioning.
11/5/2011 12:55:17 PM, error: Service Control Manager [7001] - The K9 Time Synchronization service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/5/2011 12:55:17 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/5/2011 12:55:17 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/5/2011 12:55:17 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBT service which failed to start because of the following error: A device attached to the system is not functioning.
11/5/2011 12:55:17 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/5/2011 12:55:17 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/5/2011 12:40:21 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD ATMhelpr eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SRTSP SRTSPX SYMTDI Tcpip
11/5/2011 1:05:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
11/4/2011 3:32:01 PM, error: Service Control Manager [7023] - The 725 service terminated with the following error: The specified procedure could not be found.
11/4/2011 2:38:15 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/4/2011 2:33:31 PM, error: Service Control Manager [7034] - The Indexing Service service terminated unexpectedly. It has done this 1 time(s).
11/4/2011 2:33:01 PM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
11/4/2011 2:32:43 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
11/4/2011 2:32:27 PM, error: Service Control Manager [7034] - The K9 Time Synchronization service terminated unexpectedly. It has done this 1 time(s).
11/4/2011 2:32:27 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Apple Mobile Device service to connect.
11/4/2011 2:32:27 PM, error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/4/2011 2:31:50 PM, error: Service Control Manager [7034] - The Uninterruptible Power Supply service terminated unexpectedly. It has done this 1 time(s).
11/4/2011 2:31:32 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
11/4/2011 2:30:55 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/4/2011 2:25:37 PM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 2 time(s).
11/4/2011 2:24:09 PM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s).
11/11/2011 7:49:57 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'SrtETmp' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
11/10/2011 1:40:21 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000003A' while processing the file '_filelst.cfg' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
.
==== End Of File ===========================

Thanks,

Don

 

[Broni]

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[DonD]

Hi,

I got your E-mail to run ComboFix. For some reason your post is not showing up in the thread though?

I downloaded ComboFix, disabled Malwarebytes, Symantec Endpoint Protection and Windows Firewall. I also disconnected my network cable so the internet is disconnected.

I ran ComboFix and it created a restore point and then sat there for 10 minutes. So, I remember you saying that ComboFix checks for updates, which means it needs an internet connection, so I plugged my network cable back in. A few minutes later it said it needed to install the Recovery Console. It then proceeded to display messages after each stage of completion. After it displayed the message "Completed State_24" (I think this was the last one it displayed), I got a BSOD 0xCA indicating "Plug and Play detected an error most likely caused by a faulty driver".

So, I rebooted my computer. But I'm not sure if I should just run it again, or if you suggest I do something else first?

I did have my iPhone plugged into my computer for charging. Do you think that may have caused a problem?

Thanks,

Don

 

[Broni]

Try to re-run Combofix.

 

[DonD]

Hi,

I ran ComboFix again and it ran successfully this time!

Here's the log file.

ComboFix 11-11-11.06 - don 11/11/2011 16:38:16.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.382 [GMT -6:00]
Running from: c:\documents and settings\Don DeVoto\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\DirectCDUserName.txt
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Don DeVoto\g2ax_customer_downloadhelper_win32_x86.exe
c:\documents and settings\Don DeVoto\g2mdlhlpx.exe
c:\documents and settings\Don DeVoto\WINDOWS
c:\program files\Internet Explorer\SET233.tmp
c:\program files\Internet Explorer\SET234.tmp
c:\program files\Internet Explorer\SET236.tmp
c:\program files\Internet Explorer\SET44.tmp
c:\program files\Internet Explorer\SET45.tmp
c:\program files\Internet Explorer\SET47.tmp
c:\program files\Internet Explorer\SET56.tmp
c:\program files\Internet Explorer\SET57.tmp
c:\program files\Internet Explorer\SET59.tmp
c:\program files\Internet Explorer\SETAF.tmp
c:\program files\Internet Explorer\SETB0.tmp
c:\program files\Internet Explorer\SETB2.tmp
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\INSTALL.LOG
c:\program files\WinPCap\NetMonInstaller.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\Uninstall.exe
c:\windows\dasetup.log
c:\windows\Downloaded Program Files\ocget.dll
c:\windows\Downloaded Program Files\RdxIE.dll
c:\windows\help\wmplayer.bak
c:\windows\system32\_004388_.tmp.dll
c:\windows\system32\_004389_.tmp.dll
c:\windows\system32\_004390_.tmp.dll
c:\windows\system32\_004391_.tmp.dll
c:\windows\system32\_004396_.tmp.dll
c:\windows\system32\_004397_.tmp.dll
c:\windows\system32\_004398_.tmp.dll
c:\windows\system32\_004399_.tmp.dll
c:\windows\system32\_004400_.tmp.dll
c:\windows\system32\_004401_.tmp.dll
c:\windows\system32\_004402_.tmp.dll
c:\windows\system32\_004403_.tmp.dll
c:\windows\system32\_004404_.tmp.dll
c:\windows\system32\_004406_.tmp.dll
c:\windows\system32\_004407_.tmp.dll
c:\windows\system32\_004409_.tmp.dll
c:\windows\system32\_004410_.tmp.dll
c:\windows\system32\_004411_.tmp.dll
c:\windows\system32\_004413_.tmp.dll
c:\windows\system32\_004416_.tmp.dll
c:\windows\system32\_004417_.tmp.dll
c:\windows\system32\_004419_.tmp.dll
c:\windows\system32\_004420_.tmp.dll
c:\windows\system32\_004421_.tmp.dll
c:\windows\system32\_004422_.tmp.dll
c:\windows\system32\_004423_.tmp.dll
c:\windows\system32\_004424_.tmp.dll
c:\windows\system32\_004425_.tmp.dll
c:\windows\system32\_004426_.tmp.dll
c:\windows\system32\_004427_.tmp.dll
c:\windows\system32\_004429_.tmp.dll
c:\windows\system32\_004430_.tmp.dll
c:\windows\system32\_004431_.tmp.dll
c:\windows\system32\_004432_.tmp.dll
c:\windows\system32\_004433_.tmp.dll
c:\windows\system32\_004434_.tmp.dll
c:\windows\system32\_004435_.tmp.dll
c:\windows\system32\_004436_.tmp.dll
c:\windows\system32\_004437_.tmp.dll
c:\windows\system32\_004438_.tmp.dll
c:\windows\system32\_004439_.tmp.dll
c:\windows\system32\_004442_.tmp.dll
c:\windows\system32\_004443_.tmp.dll
c:\windows\system32\_004444_.tmp.dll
c:\windows\system32\_004446_.tmp.dll
c:\windows\system32\_004447_.tmp.dll
c:\windows\system32\_004448_.tmp.dll
c:\windows\system32\_004449_.tmp.dll
c:\windows\system32\_004450_.tmp.dll
c:\windows\system32\_004452_.tmp.dll
c:\windows\system32\_004455_.tmp.dll
c:\windows\system32\_004456_.tmp.dll
c:\windows\system32\_004460_.tmp.dll
c:\windows\system32\_004461_.tmp.dll
c:\windows\system32\_004463_.tmp.dll
c:\windows\system32\_004464_.tmp.dll
c:\windows\system32\_004465_.tmp.dll
c:\windows\system32\_004466_.tmp.dll
c:\windows\system32\_004468_.tmp.dll
c:\windows\system32\_004469_.tmp.dll
c:\windows\system32\_004470_.tmp.dll
c:\windows\system32\_004471_.tmp.dll
c:\windows\system32\_004474_.tmp.dll
c:\windows\system32\_004475_.tmp.dll
c:\windows\system32\_004476_.tmp.dll
c:\windows\system32\_004477_.tmp.dll
c:\windows\system32\_004478_.tmp.dll
c:\windows\system32\_004483_.tmp.dll
c:\windows\system32\_004485_.tmp.dll
c:\windows\system32\bszip.dll
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\gotomon.log
c:\windows\system32\gunzip.exe
c:\windows\system32\MSMAsk32.ocx
c:\windows\system32\notepad\notepad.exe
c:\windows\system32\Packet.dll
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\tsoc.log
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-10-11 to 2011-11-11 )))))))))))))))))))))))))))))))
.
.
2011-11-10 21:50 . 2011-11-10 21:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2011-11-10 21:50 . 2011-11-10 21:50 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-11-05 18:26 . 2011-11-05 18:26 -------- d-----w- c:\documents and settings\Don DeVoto\Application Data\Malwarebytes
2011-11-05 18:26 . 2011-11-05 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-05 18:26 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-05 18:26 . 2011-11-11 14:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-05 17:50 . 2011-11-05 17:50 -------- d-----w- c:\windows\system32\wbem\Repository
2011-11-04 21:33 . 2011-11-04 21:34 -------- d-----w- C:\tmp
2011-11-04 19:20 . 2011-11-04 19:20 -------- d-----w- c:\documents and settings\LocalService\IETldCache
2011-11-04 16:47 . 2011-11-04 16:50 -------- d-----w- c:\windows\tmp
2011-11-01 15:43 . 2011-11-01 15:43 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2011-11-01 15:43 . 2011-11-01 15:43 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2011-11-01 15:43 . 2011-11-01 15:43 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2011-11-01 15:43 . 2011-11-01 15:43 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2011-11-01 15:43 . 2011-11-01 15:43 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2011-11-01 15:43 . 2011-11-01 15:43 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2011-11-01 15:43 . 2011-11-01 15:43 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2011-11-01 15:42 . 2011-11-01 15:43 -------- d-----w- c:\program files\QuickTime
2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-20 14:16 . 2009-08-12 20:56 70024 ----a-w- c:\windows\system32\drivers\nlem32nt.sys
2011-10-20 14:16 . 2009-08-12 19:56 30072 ----a-w- c:\windows\system32\sectools.dll
2011-10-20 14:16 . 2009-08-12 19:56 55160 ----a-w- c:\windows\system32\nlem32nt.dll
2011-10-20 14:16 . 2009-08-12 19:56 39288 ----a-w- c:\windows\system32\secbuild.dll
2011-10-14 13:24 . 2011-10-14 13:24 -------- d-----w- c:\program files\iPod
2011-10-14 13:24 . 2011-10-14 13:25 -------- d-----w- c:\program files\iTunes
2011-10-14 13:16 . 2011-10-14 13:16 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 14:22 . 2004-10-14 18:19 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2004-09-26 15:29 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2001-08-18 13:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2001-08-18 13:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20 . 2009-12-07 22:12 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 04:05 . 2011-08-31 04:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 04:05 . 2011-08-31 04:05 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-22 23:48 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-09-26 15:28 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 23:48 . 2004-09-26 15:28 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 11:56 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-08-22 10:39 . 2007-01-23 14:23 52080 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\GoToPrintProcessor.dll
2011-08-22 10:39 . 2004-12-27 14:12 113008 ----a-w- c:\windows\system32\gotomon.dll
2011-08-17 13:49 . 2009-12-07 22:12 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"QD FastAndSafe"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-04-04 684032]
"POINTER"="c:\program files\Microsoft Hardware\Mouse\point32.exe" [2001-08-24 167936]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Outlook.lnk - c:\windows\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\outicon.exe [2001-8-31 114688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000
"NoStrCmpLogical"= 01000000
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2011-08-22 10:39 15216 ----a-w- c:\program files\Expertcity\GoToMyPC\G2WinLogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
TCAUDIAG -off [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-15 02:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2003-04-04 14:33 684032 ----a-w- c:\program files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
2003-02-26 01:27 77887 ----a-w- c:\program files\WordPerfect Office 11\Programs\QFSCHD110.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 10:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
.
R0 nlem32nt;nlem32nt;c:\windows\system32\drivers\nlem32nt.sys [10/20/2011 8:16 AM 70024]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [4/17/2002 1:02 PM 4064]
R2 K9;K9 Time Synchronization;c:\windows\system32\k9nt.exe [3/28/2002 4:16 PM 57856]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/5/2011 12:26 PM 366152]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/10/2011 3:48 PM 106104]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/5/2011 12:26 PM 22216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/5/2010 8:32 AM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/5/2010 8:32 AM 136176]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2009-09-10 c:\windows\Tasks\b4a_D3 Backups(1).job
- c:\program files\Softland\Backup4all 3\b4aSchedStarter.exe [2008-05-21 20:50]
.
2009-09-10 c:\windows\Tasks\b4a_D3 Backups.job
- c:\program files\Softland\Backup4all 3\b4aSchedStarter.exe [2008-05-21 20:50]
.
2011-11-08 c:\windows\Tasks\b4a_D3 Doc's and Library(1).job
- c:\program files\Softland\Backup4all 3\b4aSchedStarter.exe [2008-05-21 20:50]
.
2011-10-29 c:\windows\Tasks\b4a_D3 Doc's and Library.job
- c:\program files\Softland\Backup4all 3\b4aSchedStarter.exe [2008-05-21 20:50]
.
2008-07-02 c:\windows\Tasks\bkupLogs.job
- c:\library\bkupLogs\bkupLogs.exe [2011-10-28 14:46]
.
2011-11-08 c:\windows\Tasks\cleantmp.job
- c:\batch files\cleantmp.bat [2002-02-21 19:35]
.
2011-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-05 14:32]
.
2011-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-05 14:32]
.
2011-11-09 c:\windows\Tasks\outlookc.job
- c:\library\outlookc\outlookc.exe [2011-10-28 14:53]
.
2011-11-11 c:\windows\Tasks\ren1.job
- c:\batch files\ren1.bat [2007-01-22 22:15]
.
2011-11-08 c:\windows\Tasks\ren2.job
- c:\batch files\ren2.bat [2007-01-22 22:15]
.
2008-06-29 c:\windows\Tasks\startNtmsSvc.job
- c:\batch files\startNtmsSvc.bat [2002-12-27 20:17]
.
2008-05-21 c:\windows\Tasks\System Backup - Full.job
- c:\batch files\backupSystem.bat [2004-11-30 14:52]
.
2008-05-21 c:\windows\Tasks\System Backup - Incremental.job
- c:\batch files\backupSystem.bat [2004-11-30 14:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: microsoft.com\office
TCP: DhcpNameServer = 192.168.1.18
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab
DPF: {02E09B2E-2A03-4572-9291-69900C068564} - hxxp://www.learnitcorp.com/cabs/lcsim.cab
DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} - hxxp://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab
.
.
------- File Associations -------
.
.txt=UltraEdit.txt
.
- - - - ORPHANS REMOVED - - - -
.
Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus
MSConfigStartUp-NvCplDaemon - c:\windows\system32\NvCpl.dll
MSConfigStartUp-RealPlayer - c:\program files\Real\RealOne Player\realplay.exe
MSConfigStartUp-Zone Labs Client - c:\program files\Zone Labs\ZoneAlarm\zlclient.exe
AddRemove-WinPcapInst - c:\program files\WinPcap\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-11 17:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet007\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2856520603-3757435101-1358250142-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5C082286-DD56-6B96-110FABAC317C22E3}\{17077DA0-F2D9-EF48-DBC13F521337D931}\{A783887F-564D-BBBA-662193019693FEBC}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,0e,d4,ad,
79,fd,e7,7d,48,37,b8,88,53,4d,be,a7,78,6f,aa,4a,1f,2c,e8,a5,08,7b,2e,aa,db,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D19C1E37-C88F-6D4D-695F1151D26FA9B0}\{82ADB184-4273-F4A9-8B3869F4D9D9F30C}\{3C71EBCF-572C-11DA-DA6A44EB5C52EFBA}*]
"NRDFOBLVNAUE2QOGEQXAH1Y2DD1"=hex:01,00,01,00,00,00,00,00,b0,0a,ac,41,7a,16,04,
de,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(540)
c:\program files\Expertcity\GoToMyPC\G2WinLogon.dll
.
- - - - - - - > 'explorer.exe'(2448)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Expertcity\GoToMyPC\g2svc.exe
c:\program files\Expertcity\GoToMyPC\g2comm.exe
c:\program files\Expertcity\GoToMyPC\g2pre.exe
c:\program files\Expertcity\GoToMyPC\g2tray.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\System32\dllhost.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\System32\msdtc.exe
c:\windows\system32\dllhost.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-11-11 17:28:37 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-11 23:28
.
Pre-Run: 40,558,555,136 bytes free
Post-Run: 42,370,379,776 bytes free
.
- - End Of File - - 76B3D7456570EF80FAED83FDE4D5E868

Let me know what to do next?

Thanks again for all your help so far!

Don

 

[Broni]

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box
• Click OK

Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

RegNull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5C082286-DD56-6B96-110FABAC317C22E3}\{17077DA0-F2D9-EF48-DBC13F521337D931}\{A783887F-564D-BBBA-662193019693FEBC}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D19C1E37-C88F-6D4D-695F1151D26FA9B0}\{82ADB184-4273-F4A9-8B3869F4D9D9F30C}\{3C71EBCF-572C-11DA-DA6A44EB5C52EFBA}*]

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt