8 replies to this topic

[PhoenixComp]

I have been looking to remove this XP Defender and it has been very stubborn. I thought I had it removed on two occasions, but it was not to be. I did the fixes in the Malware bytes, but not the HiJack This. Both scans had to be run in Safe Mode becaus they would not work in regular. Here are the logs:

HiJack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:10 PM, on 7/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://downloads.yah...xplorer/welcome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [igfxtray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [igfxhkcmd] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [igfxpers] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [P3000x_S2P] "C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] "C:\WINDOWS\System32\DLA\DLACTRLW.EXE"
O4 - HKLM\..\Run: [MimBoot] "C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1171388352\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Intuit SyncManager] "C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe" startup
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1226268006687
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mnscu.webex....nbr/ieatgpc.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://upload.smugmu...vex/XUpload.ocx
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9742 bytes


Malwarebytes

Malwarebytes' Anti-Malware 1.38
Database version: 2360
Windows 5.1.2600 Service Pack 3

7/1/2009 10:30:16 PM
mbam-log-2009-07-01 (22-30-16).txt

Scan type: Quick Scan
Objects scanned: 109991
Time elapsed: 9 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\saint hedwig\application data\xpdeluxe.exe (Rogue.XPDeluxe) -> Quarantined and deleted successfully.
c:\documents and settings\Saint Hedwig\Start Menu\XP Deluxe Protector.LNK (Rogue.DeluxeProtector) -> Quarantined and deleted successfully.
c:\documents and settings\Saint Hedwig\Desktop\XP Deluxe Protector.LNK (Rogue.DeluxeProtector) -> Quarantined and deleted successfully.

[miekiemoes]

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[PhoenixComp]

Some interesting things happened while it was scanning.
1. I was unable to stop the XP Deluxe Protector due to the computer freezing upon any attempt to stop the program. So the scan continued on.
2. The ComboFix changed my desktop and didnot change it back
3. There is what appears to be a couple of dead shortcuts on my desktop and pinned to the Start Menu the are labeled XP Deluxe Protector. Even though it appears the program is no longer running.
4. When the ComboFix restarted the computer my AV and Spyware programs restarted and tryed to block some changes. I think I was able to unblock them but i am not sure.
5. While the ComboFix was generating the report an error popped up and even though i tried to "Retry" it would only move forward when I clicked "continue" (Didn't write the error, it was a memory location)

Here is the log from the ComboFix.

ComboFix 09-07-01.04 - Saint Hedwig 07/02/2009 10:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.515 [GMT -5:00]
Running from: G:\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Saint Hedwig\XP Deluxe Protector
c:\documents and settings\Saint Hedwig\XP Deluxe Protector\xpdeluxe.exe
c:\windows\MailSwitch.ocx
c:\windows\system32\bszip.dll
c:\windows\system32\disk.dll

----- BITS: Possible infected sites -----

hxxp://gnbd1.cn
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

.
((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-07-02 )))))))))))))))))))))))))))))))
.

2009-07-02 15:23 . 2009-07-02 15:23 29184 ----a-w- c:\windows\system32\gdi32lib.dll
2009-07-02 01:27 . 2009-07-02 01:27 57536 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-02 00:24 . 2009-07-02 00:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-02 00:08 . 2009-07-02 00:08 -------- d-----w- c:\documents and settings\Saint Hedwig\Application Data\Malwarebytes
2009-07-02 00:07 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-02 00:07 . 2009-07-02 00:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-02 00:07 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-02 00:06 . 2009-07-02 00:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-01 18:43 . 2009-07-01 18:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Webroot
2009-07-01 16:32 . 2009-07-01 16:32 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Webroot
2009-07-01 00:45 . 2009-07-01 00:45 -------- d-----w- c:\program files\7-Zip
2009-06-29 00:54 . 2009-07-01 14:34 -------- d-----w- c:\windows\system32\Service
2009-06-25 21:50 . 2009-06-25 21:50 129472 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-25 21:46 . 2009-06-25 21:46 -------- d-----w- c:\program files\iPod
2009-06-25 21:46 . 2009-06-25 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-25 21:46 . 2009-06-25 21:47 -------- d-----w- c:\program files\iTunes
2009-06-25 21:42 . 2009-06-25 21:42 -------- d-----w- c:\program files\Bonjour
2009-06-25 21:41 . 2009-06-25 21:42 -------- d-----w- c:\program files\QuickTime
2009-06-25 21:34 . 2009-06-05 16:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-23 17:07 . 2009-06-23 17:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-18 12:47 . 2009-06-18 12:47 -------- d-----w- c:\documents and settings\LocalService\Application Data\Webroot
2009-06-18 12:44 . 2009-06-18 12:44 -------- d-----w- c:\program files\Webroot
2009-06-18 12:44 . 2009-06-18 12:44 -------- d-----w- c:\documents and settings\Saint Hedwig\Application Data\Webroot
2009-06-18 12:44 . 2009-06-18 12:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2009-06-18 12:44 . 2008-08-09 21:04 1538928 ----a-w- c:\windows\WRSetup.dll
2009-06-18 11:06 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-06-18 11:06 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2009-06-18 11:06 . 2009-04-02 23:08 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-06-18 11:05 . 2009-06-18 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2009-06-18 11:04 . 2009-07-02 03:30 -------- d-----w- c:\program files\Trend Micro
2009-06-16 14:46 . 2009-06-16 14:46 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-16 14:39 . 2009-06-17 18:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-16 14:39 . 2009-06-17 18:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-15 03:42 . 2009-06-17 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-15 03:41 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-15 03:41 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-15 03:33 . 2009-06-15 03:33 -------- d-----w- c:\documents and settings\Saint Hedwig\Application Data\Lavasoft
2009-06-15 03:20 . 2009-06-15 03:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Grisoft
2009-06-15 03:20 . 2009-06-15 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft
2009-06-15 03:10 . 2009-06-15 03:10 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-06-14 19:29 . 2009-06-15 03:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lavasoft
2009-06-14 19:29 . 2009-06-17 18:58 -------- d-----w- c:\program files\Lavasoft
2009-06-14 19:22 . 2009-06-14 19:22 -------- d-----w- c:\program files\CCleaner
2009-06-14 18:46 . 2009-06-14 18:46 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-06-12 03:22 . 2002-08-14 20:03 4672 ----a-w- c:\windows\system\WOWPOST.EXE
2009-06-12 03:22 . 2002-08-14 20:03 5600 ----a-w- c:\windows\system\WINASPI.DLL
2009-06-12 03:22 . 2002-08-14 20:03 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2009-06-12 03:22 . 2002-08-14 20:03 17005 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2009-06-12 01:14 . 2006-03-04 04:52 636568 ------r- c:\windows\system32\NSRSte.dll
2009-06-12 01:14 . 2009-06-13 20:28 -------- d-----w- c:\program files\Norton Save and Restore
2009-06-12 01:04 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-06-12 01:04 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2009-06-08 17:36 . 2009-06-08 17:40 -------- d-----w- C:\6de2e506145bbec873f1b3a31b1c
2009-06-08 17:05 . 2009-06-08 17:06 -------- d-----w- C:\5493a3016cc6196776b4092b00
2009-06-08 17:05 . 2009-06-08 17:05 -------- d-----w- C:\a09a75ff8d84a291c7
2009-06-06 04:37 . 2008-04-14 00:12 26112 ----a-w- c:\windows\system32\stu2.exe
2009-06-05 18:57 . 2009-06-05 18:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-25 21:46 . 2008-06-07 22:02 -------- d-----w- c:\program files\Common Files\Apple
2009-06-25 21:35 . 2008-06-07 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-25 21:15 . 2008-06-07 22:05 -------- d-----w- c:\documents and settings\Saint Hedwig\Application Data\Apple Computer
2009-06-19 17:52 . 2009-02-13 03:28 865544 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
2009-06-19 17:52 . 2009-02-13 03:28 38664 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2009-06-18 11:01 . 2006-04-08 15:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-18 10:53 . 2006-04-08 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-18 10:52 . 2006-04-14 17:40 -------- d-----w- c:\documents and settings\Saint Hedwig\Application Data\Symantec
2009-06-17 14:17 . 2006-04-08 15:07 -------- d-----w- c:\program files\Google
2009-06-16 14:31 . 2007-02-21 18:32 -------- d-----w- c:\program files\TrueAssistant
2009-06-08 19:53 . 2006-04-14 17:48 57536 ----a-w- c:\documents and settings\Saint Hedwig\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-06 04:53 . 2009-06-06 04:53 0 ----a-w- c:\documents and settings\Saint Hedwig\Application Data\~ygw.tmp
2009-06-05 16:42 . 2008-06-07 22:02 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-31 20:37 . 2008-10-22 11:48 -------- d-----w- c:\documents and settings\Saint Hedwig\Application Data\LimeWire
2009-05-13 05:15 . 2004-08-10 17:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 20:02 . 2009-02-12 18:44 2426 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2009-05-12 14:37 . 2009-05-10 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\10902814
2009-05-12 14:25 . 2009-05-10 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\60922809
2009-05-10 19:35 . 2009-05-10 19:35 482 ----a-w- c:\documents and settings\All Users\Application Data\60922809\20723592.exe
2009-05-10 19:27 . 2009-05-10 19:27 505 ----a-w- c:\documents and settings\All Users\Application Data\60922809\10723591.exe
2009-05-07 15:32 . 2004-08-10 17:51 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-24 05:42 . 2009-04-24 05:42 192512 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\ICSharpCode.SharpZipLib.dll
2009-04-17 12:26 . 2004-08-10 17:51 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 17:51 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2006-04-14 19:29 . 2006-04-14 19:29 88 --sh--r- c:\windows\system32\77310286E8.sys
2006-04-14 19:29 . 2006-04-14 19:07 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-17 4347120]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\iexplore.exe" [2009-03-08 638816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"P3000x_S2P"="c:\program files\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe" [2004-10-28 57344]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-03-17 40960]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-04-08 26112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-09-18 8192]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-13 1117184]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"HostManager"="c:\program files\Common Files\AOL\1171388352\ee\AOLSoftware.exe" [2006-09-26 50736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-08-09 5418864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-5-7 221295]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-8 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-11 984352]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1171388352\\ee\\aolsoftware.exe"=
"c:\\esp\\WINDOWS\\Espnetup.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [8/9/2008 2:42 PM 29808]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2/21/2009 9:26 PM 36368]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [6/18/2009 6:06 AM 50192]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [6/18/2009 6:07 AM 677128]
S3 OSIUSB2;USB Cable Service B;c:\windows\system32\drivers\slabser.sys [7/11/2007 9:28 PM 100400]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2006-04-14 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]

2009-06-26 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-06-18 21:04]

2009-06-26 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-06-18 21:04]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-xpprotect - c:\documents and settings\Saint Hedwig\XP Deluxe Protector\xpdeluxe.exe
HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; AT&T CSM6.0; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-02 11:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5140)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\windows\wanmpsvc.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\windows\system32\wscntfy.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\QBMsgMgr.exe
.
**************************************************************************
.
Completion time: 2009-07-02 11:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-02 16:25

Pre-Run: 82,670,481,408 bytes free
Post-Run: 83,036,180,480 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

283 --- E O F --- 2009-06-16 14:48

[miekiemoes]

Hi,

It appears that your Trendmicro was interfering here, or your Spysweeper. I know both can cause a lot of problems when running Combofix.
In case you didn't purchase Spysweeper, I suggest you uninstall it, because it's an extra resource hog, running in the background while it won't protect you because it's a trial.

Then,

Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

Folder::
c:\documents and settings\All Users\Application Data\10902814
c:\documents and settings\All Users\Application Data\60922809
Dirlook::
c:\windows\system32\Service
c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
Registry::
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
Filelook::
c:\windows\system32\gdi32lib.dll

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[PhoenixComp]

I uninstalled both the TrendMicro and Spy Sweeper (both of which were purchased and should not be trial versions) I then rebooted and ran the ComboFix again. the ComboFix did not reboot the machine I did it as a function of the uninstall. The scan ran significantly quicker this time, so if there were any errors I did not see them. The last errors required me to click a button to cintinue so I am guessing there were none. The "dead" shortcuts are still on my Desktop and pinned to my Start menu. I am assuming they are dead, but I have not clicked on them for fear of accidently reinstalling the XP Protector.

Thank You for All of your help,
Brian


ComboFix 09-07-01.04 - Saint Hedwig 07/02/2009 14:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.624 [GMT -5:00]
Running from: c:\documents and settings\Saint Hedwig\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Saint Hedwig\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\10902814
c:\documents and settings\All Users\Application Data\10902814\pc10902814ins
c:\documents and settings\All Users\Application Data\10902814\pc10902814reg
c:\documents and settings\All Users\Application Data\60922809
c:\documents and settings\All Users\Application Data\60922809\10723591.exe
c:\documents and settings\All Users\Application Data\60922809\20723592.exe

.
((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-07-02 )))))))))))))))))))))))))))))))
.

2009-07-02 15:23 . 2009-07-02 15:23 29184 ----a-w- c:\windows\system32\gdi32lib.dll
2009-07-02 01:27 . 2009-07-02 01:27 57536 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-02 00:24 . 2009-07-02 00:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-02 00:08 . 2009-07-02 00:08 -------- d-----w- c:\documents and settings\Saint Hedwig\Application Data\Malwarebytes
2009-07-02 00:07 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-02 00:07 . 2009-07-02 00:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-02 00:07 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-02 00:06 . 2009-07-02 00:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-01 00:45 . 2009-07-01 00:45 -------- d-----w- c:\program files\7-Zip
2009-06-29 00:54 . 2009-07-01 14:34 -------- d-----w- c:\windows\system32\Service
2009-06-25 21:50 . 2009-06-25 21:50 129472 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-25 21:46 . 2009-06-25 21:46 -------- d-----w- c:\program files\iPod
2009-06-25 21:46 . 2009-06-25 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-25 21:46 . 2009-06-25 21:47 -------- d-----w- c:\program files\iTunes
2009-06-25 21:42 . 2009-06-25 21:42 -------- d-----w- c:\program files\Bonjour
2009-06-25 21:41 . 2009-06-25 21:42 -------- d-----w- c:\program files\QuickTime
2009-06-25 21:34 . 2009-06-05 16:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-23 17:07 . 2009-06-23 17:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-18 11:04 . 2009-07-02 19:43 -------- d-----w- c:\program files\Trend Micro
2009-06-16 14:46 . 2009-06-16 14:46 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-16 14:39 . 2009-06-17 18:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-16 14:39 . 2009-06-17 18:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-15 03:42 . 2009-06-17 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-15 03:41 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-15 03:41 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-15 03:33 . 2009-06-15 03:33 -------- d-----w- c:\documents and settings\Saint Hedwig\Application Data\Lavasoft
2009-06-15 03:20 . 2009-06-15 03:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Grisoft
2009-06-15 03:20 . 2009-06-15 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft
2009-06-15 03:10 . 2009-06-15 03:10 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-06-14 19:29 . 2009-06-15 03:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lavasoft
2009-06-14 19:29 . 2009-06-17 18:58 -------- d-----w- c:\program files\Lavasoft
2009-06-14 19:22 . 2009-06-14 19:22 -------- d-----w- c:\program files\CCleaner
2009-06-14 18:46 . 2009-06-14 18:46 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-06-12 03:22 . 2002-08-14 20:03 4672 ----a-w- c:\windows\system\WOWPOST.EXE
2009-06-12 03:22 . 2002-08-14 20:03 5600 ----a-w- c:\windows\system\WINASPI.DLL
2009-06-12 03:22 . 2002-08-14 20:03 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2009-06-12 03:22 . 2002-08-14 20:03 17005 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2009-06-12 01:14 . 2006-03-04 04:52 636568 ------r- c:\windows\system32\NSRSte.dll
2009-06-12 01:14 . 2009-06-13 20:28 -------- d-----w- c:\program files\Norton Save and Restore
2009-06-12 01:04 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-06-12 01:04 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2009-06-08 17:36 . 2009-06-08 17:40 -------- d-----w- C:\6de2e506145bbec873f1b3a31b1c
2009-06-08 17:05 . 2009-06-08 17:06 -------- d-----w- C:\5493a3016cc6196776b4092b00
2009-06-08 17:05 . 2009-06-08 17:05 -------- d-----w- C:\a09a75ff8d84a291c7
2009-06-06 04:37 . 2008-04-14 00:12 26112 ----a-w- c:\windows\system32\stu2.exe
2009-06-05 18:57 . 2009-06-05 18:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-25 21:46 . 2008-06-07 22:02 -------- d-----w- c:\program files\Common Files\Apple
2009-06-25 21:35 . 2008-06-07 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-25 21:15 . 2008-06-07 22:05 -------- d-----w- c:\documents and settings\Saint Hedwig\Application Data\Apple Computer
2009-06-19 17:52 . 2009-02-13 03:28 865544 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
2009-06-19 17:52 . 2009-02-13 03:28 38664 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2009-06-18 11:01 . 2006-04-08 15:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-18 10:53 . 2006-04-08 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-18 10:52 . 2006-04-14 17:40 -------- d-----w- c:\documents and settings\Saint Hedwig\Application Data\Symantec
2009-06-17 14:17 . 2006-04-08 15:07 -------- d-----w- c:\program files\Google
2009-06-16 14:31 . 2007-02-21 18:32 -------- d-----w- c:\program files\TrueAssistant
2009-06-08 19:53 . 2006-04-14 17:48 57536 ----a-w- c:\documents and settings\Saint Hedwig\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-06 04:53 . 2009-06-06 04:53 0 ----a-w- c:\documents and settings\Saint Hedwig\Application Data\~ygw.tmp
2009-06-05 16:42 . 2008-06-07 22:02 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-31 20:37 . 2008-10-22 11:48 -------- d-----w- c:\documents and settings\Saint Hedwig\Application Data\LimeWire
2009-05-13 05:15 . 2004-08-10 17:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 20:02 . 2009-02-12 18:44 2426 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2009-05-07 15:32 . 2004-08-10 17:51 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-24 05:42 . 2009-04-24 05:42 192512 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\ICSharpCode.SharpZipLib.dll
2009-04-17 12:26 . 2004-08-10 17:51 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 17:51 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2006-04-14 19:29 . 2006-04-14 19:29 88 --sh--r- c:\windows\system32\77310286E8.sys
2006-04-14 19:29 . 2006-04-14 19:07 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\system32\gdi32lib.dll ---
Company:
File Description: VMware Module
File Version: 1, 0, 0, 1
Product Name: VMware Module
Copyright: Copyright 2005
Original Filename: VMware.dll
File size: 29184
Created time: 2009-07-02 15:23
Modified time: 2009-07-02 15:23
MD5: E25C426C4381CA5371927AF1D7DB3DB9
SHA1: DB9D18D257DF0BB2EF894E3C25DBE42FB787ED34

---- Directory of c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} ----

2009-06-25 21:47 . 2009-06-25 21:47 3654 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\DIFxInstallLog.txt
2009-03-25 06:19 . 2009-03-25 06:19 7919 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\gearaspiwdmx86.cat
2009-03-19 21:38 . 2009-03-19 21:38 2763 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\GEARAspiWDM.inf
2009-03-19 21:32 . 2009-03-19 21:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-02-04 18:56 . 2009-02-04 18:56 75112 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\DifXInstall32.exe
2008-04-17 17:12 . 2008-04-17 17:12 107368 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspi.dll
2006-11-02 11:21 . 2006-11-02 11:21 319456 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\DIFxAPI.dll

---- Directory of c:\windows\system32\Service ----

2009-07-01 14:34 . 2009-07-01 14:34 928 ----a-w- c:\windows\system32\Service\01072009_TIS17_SfFniAU.log
2009-06-29 00:54 . 2009-06-29 01:11 1856 ----a-w- c:\windows\system32\Service\28062009_TIS17_SfFniAU.log


((((((((((((((((((((((((((((( SnapShot@2009-07-02_16.10.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-02 19:43 . 2009-07-02 19:43 16384 c:\windows\Temp\Perflib_Perfdata_a8c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-17 4347120]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"P3000x_S2P"="c:\program files\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe" [2004-10-28 57344]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-03-17 40960]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-04-08 26112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-09-18 8192]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-13 1117184]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"HostManager"="c:\program files\Common Files\AOL\1171388352\ee\AOLSoftware.exe" [2006-09-26 50736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-5-7 221295]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-8 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-11 984352]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1171388352\\ee\\aolsoftware.exe"=
"c:\\esp\\WINDOWS\\Espnetup.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S3 OSIUSB2;USB Cable Service B;c:\windows\system32\drivers\slabser.sys [7/11/2007 9:28 PM 100400]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2006-04-14 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-02 14:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-07-02 15:01
ComboFix-quarantined-files.txt 2009-07-02 20:01
ComboFix2.txt 2009-07-02 16:25

Pre-Run: 83,708,407,808 bytes free
Post-Run: 83,693,498,368 bytes free

232 --- E O F --- 2009-06-16 14:48

[miekiemoes]

Hi,

Quote

The "dead" shortcuts are still on my Desktop and pinned to my Start menu. I am assuming they are dead, but I have not clicked on them for fear of accidently reinstalling the XP Protector.

You can delete them manually (rightclick and select delete)

Please change your passwords as they may be known/collected.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Let me know in your next reply how things are now.

[PhoenixComp]

I ran Malwarebytes last evening and if came up with 5 issues which it fixed, I then ran HiJack this and cleaned up the issues that I could tell needed cleaning.
Then two subsequant scans with Malwarebytes and one scan with ComboFix (just for fun) and everything seems clean. I shut the computer down for 10 minutess (that was when I would see the XP Deluxe return) and it did not return, and I left it on all night and It came up clean. There were 3 issues in my TrendMicro log after it's scan last night, but I am going to remove ComboFix and Malwarebytes and see if that is what is showing up.

I think that worked.
Thank You for your help
Brian

[miekiemoes]

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.