8 replies to this topic

[Rob McC]

I was recently hit by the infamous Microsoft Antivirus Pro infection with multiple additional backdors and trojans.
Could not run Malwarebytes, SpybotSD, task manager, most exe files etc etc.
Following advice of various people I was able to regain general control, and removed my hard drive and ran a Marwarebytes scan on the drive from another computer.
which identified and removed about 32 problems.
I then reattached the drive on my PC and downloaded a fresh copy of Malwarbytes, updated and ran it again and it identified and removed about 49 more problems.
The did a full scan and it found a few more items.
(results of these three scans pasted below)

Subsequent scans have detected nothing new.

As far as I can tell, my PC is now running fairly normally except for the following two problems :

problem 1) I cannot start the Microsoft Update program.
I tried to run it manually from Explorer but tonight when it tried to download a new version of the MS Update it failed with error [Error number: 0x8024D007]
Previously I had received a different error with a set of possible fix instructions which I tried to follow, but services.msc was unable to start the updater with error 2 - "the service cannot find the file specified" (which file that was they did not say)
following another set of instructions I was told to run the command regsvr32 wuaueng.dll which failed with return code 0x80070005

problem 2) I had removed Spybot Search and Destroy from my system, but the main file spybotSD.exe is not removeable or renameable (access denied) and that prevents the installation of a new version of Spybot as well.

here is my HJT log and the two Malwarebytes logs that I ran that did remove problems - the current scans have not found any more problems
============================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:02 AM, on 8/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Rob McConeghy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Tavultesoft\Keyman\keyman.exe
C:\Program Files\Le Robert\The Collins-Robert French Dictionary\GRCHA.exe
C:\Program Files\Le Robert\Le Grand Robert\grwinHyper.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080213
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080213
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: (no name) - {B7226DD0-3DCA-499D-A32E-A92ED4ECD803} - (no file)
O2 - BHO: (no name) - {BFEC4FFD-9C0E-4B2E-A6C7-03A9437447D9} - (no file)
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [ScanSoft OmniPage 16-reminder] "C:\Program Files\ScanSoft\OmniPage16\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\OmniPage 16\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Rob McConeghy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKCU\..\Run: [keyman.exe] C:\Program Files\Tavultesoft\Keyman\keyman.exe
O4 - HKCU\..\Run: [GRC V2 Hyperappel] C:\Program Files\Le Robert\The Collins-Robert French Dictionary\GRCHA.exe
O4 - HKCU\..\Run: [grwinHyper] C:\Program Files\Le Robert\Le Grand Robert\grwinHyper.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Dynex Wireless Networking Utility.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0F7A9297-7268-11D1-B81A-00A076C01B0A} (CPC View ax Control) - http://www.cartesian...X/CpcViewAX.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfiel...criptX/smsx.cab
O16 - DPF: {5852F5ED-8BF4-11D4-A245-0080C6F74284} (isInstalled Class) - http://javadl-esd.sun.com/update/1.6.0/jin...indows-i586.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O20 - AppInit_DLLs: gfiads.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 14357 bytes

===============================
Malwarebytes log #1 (run from my laptop with Vista using my XP infected drive as an external drive)
Malwarebytes' Anti-Malware 1.40
Database version: 2581
Windows 6.0.6001 Service Pack 1

8/8/2009 8:19:10 PM
mbam-log-2009-08-08 (20-19-10).txt

Scan type: Quick Scan
Objects scanned: 423804
Time elapsed: 5 hour(s), 45 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 31

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
d:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP554\A0091589.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
d:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP554\A0093691.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
d:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP554\A0089589.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
d:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP554\A0090578.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
d:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP554\A0093659.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
d:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP554\A0094766.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
d:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP555\A0095712.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
d:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP555\A0096720.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
d:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP555\A0097728.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
d:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP555\A0098726.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
d:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP555\A0098727.old (Trojan.Backdoor) -> Quarantined and deleted successfully.
d:\WINDOWS\aulesn.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
d:\WINDOWS\sv1.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
d:\WINDOWS\svchost.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
d:\WINDOWS\msa.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
d:\WINDOWS\system32\Iasex.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
d:\WINDOWS\system32\dvdpaly.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
d:\WINDOWS\system32\netlogon.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
d:\WINDOWS\system32\sofatnet.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
d:\WINDOWS\system32\tapi.nfo (Trojan.Agent) -> Quarantined and deleted successfully.
d:\WINDOWS\system32\msxml71.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
d:\WINDOWS\Temp\t4m0_321098664145.bk.old (Backdoor.Bot) -> Quarantined and deleted successfully.
d:\_OTM\MovedFiles\08032009_004524\WINDOWS\svchast.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
d:\_OTM\MovedFiles\08042009_013057\WINDOWS\system32\desot.exe (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
d:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0X6BKPI7\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
d:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4PANWHMV\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
d:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4PANWHMV\w[2].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
d:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W9QVGTUZ\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
d:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\I2CHIIX4\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
d:\Documents and Settings\Rob McConeghy\Local Settings\Temp\b.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
d:\Documents and Settings\Rob McConeghy\Local Settings\Temp\2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.


==============================
Malware bytes log 2 (run on my XP PC with the infected drive reattached as the boot drive)
Malwarebytes' Anti-Malware 1.40
Database version: 2589
Windows 5.1.2600 Service Pack 3

8/9/2009 9:33:46 PM
mbam-log-2009-08-09 (21-33-46).txt

Scan type: Quick Scan
Objects scanned: 99113
Time elapsed: 5 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 12
Registry Data Items Infected: 7
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f54af7de-6038-4026-8433-cc30e3f17212} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\netcard (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\sofatnet (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mEv (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe tapi.nfo beforeglav) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Rob McConeghy\Start Menu\Programs\Windows AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wiawow32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\rundll32.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

==========================
log #3 (also run on my XP PC)
Malwarebytes' Anti-Malware 1.40
Database version: 2589
Windows 5.1.2600 Service Pack 3

8/10/2009 4:11:42 AM
mbam-log-2009-08-10 (04-11-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 465067
Time elapsed: 4 hour(s), 49 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP554\A0091588.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP554\A0089588.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP554\A0090575.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP554\A0090577.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP554\A0090594.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP554\A0091586.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP554\A0093656.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP554\A0093658.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP554\A0093675.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP554\A0093685.exe (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP554\A0093686.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP554\A0094748.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP554\A0094765.exe (Rogue.WindowsAntivirus) -> Quarantined and deleted successfully.

=====================
latest quick scan log
Malwarebytes' Anti-Malware 1.40
Database version: 2628
Windows 5.1.2600 Service Pack 3

8/15/2009 2:40:23 AM
mbam-log-2009-08-15 (02-40-23).txt

Scan type: Quick Scan
Objects scanned: 106395
Time elapsed: 7 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
========================

[miekiemoes]

Hi,

First of all, Please download and run WUS_Fix.exe: http://users.telenet...ols/WUS_Fix.exe
This should restore the default registry settings related with BITS and Automatic updates.

Then,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[Rob McC]

Hi and thanks for replying.

I ran the WUS_fix
and the ComboFix

on startup of ComboFix it reported version 09-08-10.06
current date is ~ ComboFix has expired.
Click yes to run in REDUCED FUNCTIONALITY mode

I clicked yes, and everything appear to have functioned normally.
Here is the log :

------------------
ComboFix 09-08-10.06 - Rob McConeghy 08/18/2009 23:45.1.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1176 [GMT -7:00]
Running from: c:\documents and settings\Rob McConeghy\Desktop\ComboFix.exe
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2520572032-590015557-3983725444-1003
c:\$recycle.bin\S-1-5-21-2520572032-590015557-3983725444-1003\desktop.ini
c:\program files\Fast Browser Search
c:\program files\Fast Browser Search\IE\1.bat
c:\program files\Fast Browser Search\IE\about.html
c:\program files\Fast Browser Search\IE\affid.dat
c:\program files\Fast Browser Search\IE\basis.xml
c:\program files\Fast Browser Search\IE\basis_br.xml
c:\program files\Fast Browser Search\IE\basis_de.xml
c:\program files\Fast Browser Search\IE\basis_en.xml
c:\program files\Fast Browser Search\IE\basis_es.xml
c:\program files\Fast Browser Search\IE\basis_fr.xml
c:\program files\Fast Browser Search\IE\basis_it.xml
c:\program files\Fast Browser Search\IE\basis_pt.xml
c:\program files\Fast Browser Search\IE\basis_ru.xml
c:\program files\Fast Browser Search\IE\BHO.dll
c:\program files\Fast Browser Search\IE\ClearRecycleBin.exe
c:\program files\Fast Browser Search\IE\error.html
c:\program files\Fast Browser Search\IE\FBSPlugin.dll
c:\program files\Fast Browser Search\IE\fbsProtection.xml
c:\program files\Fast Browser Search\IE\FbsSearchProvider.xml
c:\program files\Fast Browser Search\IE\FbsSearchProviderIE8.exe
c:\program files\Fast Browser Search\IE\FBStoolbar.dll
c:\program files\Fast Browser Search\IE\fbstoolbar.jar
c:\program files\Fast Browser Search\IE\fbstoolbar.manifest
c:\program files\Fast Browser Search\IE\icons.bmp
c:\program files\Fast Browser Search\IE\info.txt
c:\program files\Fast Browser Search\IE\local.xml
c:\program files\Fast Browser Search\IE\logobg.bmp
c:\program files\Fast Browser Search\IE\MTWBtoolbar.html
c:\program files\Fast Browser Search\IE\search.bmp
c:\program files\Fast Browser Search\IE\search_br.bmp
c:\program files\Fast Browser Search\IE\search_de.bmp
c:\program files\Fast Browser Search\IE\search_es.bmp
c:\program files\Fast Browser Search\IE\search_fr.bmp
c:\program files\Fast Browser Search\IE\search_it.bmp
c:\program files\Fast Browser Search\IE\search_pt.bmp
c:\program files\Fast Browser Search\IE\search_ru.bmp
c:\program files\Fast Browser Search\IE\SearchGuardPlus.exe
c:\program files\Fast Browser Search\IE\SearchGuardPlus.ico
c:\program files\Fast Browser Search\IE\SGPU.ico
c:\program files\Fast Browser Search\IE\sgpUpdater.exe
c:\program files\Fast Browser Search\IE\sgpUpdater.xml
c:\program files\Fast Browser Search\IE\SGPUpdaterS.exe
c:\program files\Fast Browser Search\IE\tbhelper.dll
c:\program files\Fast Browser Search\IE\tbs_include_script_003175.js
c:\program files\Fast Browser Search\IE\tbs_include_script_005064.js
c:\program files\Fast Browser Search\IE\tbs_include_script_012817.js
c:\program files\Fast Browser Search\IE\Toolbar Help.htm
c:\program files\Fast Browser Search\IE\uninstall.exe
c:\program files\Fast Browser Search\IE\uninstalSGP.exe
c:\program files\Fast Browser Search\IE\uninstalSGPU.exe
c:\program files\Fast Browser Search\IE\update.exe
c:\program files\Fast Browser Search\IE\version.txt
c:\program files\SGPSA
c:\program files\SGPSA\BHO.dll
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\Install.txt
c:\windows\system32\Install.txt

Infected copy of c:\windows\system32\netlogon.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\netlogon.dll


.
((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))
.

2009-08-19 06:46 . 2008-04-14 00:12 407040 ----a-w- c:\windows\system32\netlogon.dll
2009-08-16 01:50 . 2009-08-16 01:50 -------- d-----w- c:\program files\Search Guard PlusU
2009-08-16 01:50 . 2009-08-16 01:50 -------- d-----w- c:\program files\Search Guard Plus
2009-08-16 01:48 . 2009-08-16 01:48 -------- d-----w- C:\users
2009-08-11 07:55 . 2009-08-11 07:55 -------- d-----w- c:\program files\ERUNT
2009-08-10 22:19 . 2009-08-10 22:19 -------- d--h--w- c:\windows\PIF
2009-08-10 20:38 . 2009-08-10 20:42 -------- d-----w- C:\K
2009-08-10 12:47 . 2009-08-10 12:48 106942640 ----a-w- c:\documents and settings\Rob McConeghy\Application Data\SanDisk\Sansa Updater\Sansa Media Converter.EXE
2009-08-10 11:31 . 2009-08-10 11:31 152576 ----a-w- c:\documents and settings\Rob McConeghy\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-10 04:26 . 2009-08-10 04:26 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-10 04:26 . 2009-08-10 04:26 -------- d-----w- c:\documents and settings\Rob McConeghy\Application Data\Malwarebytes
2009-08-10 04:25 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 04:25 . 2009-08-10 04:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 04:25 . 2009-08-10 04:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 04:25 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-09 09:53 . 2009-08-09 10:03 -------- d-----w- c:\windows\system32\NtmsData
2009-08-09 07:33 . 2009-08-10 11:31 743621 ----a-w- c:\windows\system32\RPUpdates.zip
2009-08-09 07:13 . 1999-12-18 05:43 86016 ----a-w- c:\windows\unvise32.exe
2009-08-09 07:13 . 2009-08-09 07:15 -------- d-----w- c:\program files\RegistryPatrol3.0
2009-08-09 03:21 . 2009-08-09 03:21 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-03 02:52 . 2008-04-14 00:12 33280 ----a-w- c:\windows\system32\Copy of rundll32.exe
2009-08-02 12:41 . 2009-08-09 07:03 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-02 11:39 . 2008-11-28 01:47 -------- d---a-w- c:\windows\system32\images
2009-08-02 11:38 . 2009-08-03 15:43 0 ----a-w- c:\windows\system32\drivers\b4784788.sys
2009-07-23 12:34 . 2009-07-23 12:36 -------- d-----w- c:\program files\Coupons
2009-07-23 12:34 . 2009-07-23 12:34 -------- d-----w- c:\windows\Cache
2009-07-22 21:53 . 2009-07-22 21:53 -------- d-----w- c:\program files\iPod
2009-07-22 21:52 . 2009-07-22 21:53 -------- d-----w- c:\program files\iTunes
2009-07-22 21:49 . 2009-07-22 21:49 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-20 21:14 . 2009-07-20 21:14 -------- d-----w- c:\documents and settings\Rob McConeghy\Application Data\Windows Search
2009-07-20 10:46 . 2009-07-20 10:46 -------- d-----w- c:\documents and settings\Rob McConeghy\Local Settings\Application Data\Identities
2009-07-20 10:46 . 2009-07-20 10:46 -------- d-----w- c:\documents and settings\Rob McConeghy\Application Data\Windows Desktop Search
2009-07-20 10:45 . 2009-07-21 06:51 -------- d-----w- c:\program files\Windows Desktop Search
2009-07-20 10:45 . 2009-07-20 10:45 -------- d-----w- c:\windows\system32\GroupPolicy
2009-07-20 10:44 . 2008-03-07 17:02 98304 ------w- c:\windows\system32\dllcache\nlhtml.dll
2009-07-20 10:44 . 2008-03-07 17:02 29696 ------w- c:\windows\system32\dllcache\mimefilt.dll
2009-07-20 10:44 . 2008-03-07 17:02 192000 ------w- c:\windows\system32\dllcache\offfilt.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-19 06:21 . 2008-02-20 10:46 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-08-16 09:21 . 2009-06-14 03:21 -------- d-----w- c:\program files\Concordance
2009-08-11 08:56 . 2009-07-07 21:43 70572 ---ha-w- c:\windows\system32\mlfcache.dat
2009-08-11 07:59 . 2008-02-13 00:48 -------- d-----w- c:\program files\Trend Micro
2009-08-10 22:18 . 2008-10-12 02:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-10 22:13 . 2008-10-12 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-10 11:32 . 2008-02-13 00:40 -------- d-----w- c:\program files\Java
2009-08-09 07:58 . 2008-02-20 09:58 89472 ----a-w- c:\documents and settings\Rob McConeghy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-01 07:34 . 2008-08-10 09:14 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-29 10:13 . 2008-02-13 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-29 10:10 . 2008-03-07 21:26 -------- d-----w- c:\program files\Common Files\Merge Modules
2009-07-26 22:46 . 2009-05-08 12:00 597560 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-25 12:23 . 2008-12-02 20:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-22 21:54 . 2009-03-04 21:11 -------- d-----w- c:\program files\Safari
2009-07-22 21:53 . 2008-03-15 21:40 -------- d-----w- c:\program files\Common Files\Apple
2009-07-20 10:37 . 2008-02-13 00:53 -------- d-----w- c:\program files\Microsoft Works
2009-07-07 21:43 . 2008-03-15 21:41 -------- d-----w- c:\documents and settings\Rob McConeghy\Application Data\Apple Computer
2009-07-04 23:53 . 2009-07-04 23:53 -------- d-----w- c:\program files\eRightSoft
2009-07-03 17:09 . 2004-08-10 17:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-02 15:34 . 2008-04-24 17:05 -------- d-----w- c:\program files\MediaMonkey
2009-06-27 09:56 . 2008-07-10 20:36 -------- d-----w- c:\program files\Common Files\Real
2009-06-27 09:56 . 2009-06-27 09:56 -------- d-----w- c:\program files\Common Files\xing shared
2009-06-27 09:55 . 2009-06-27 09:55 -------- d-----w- c:\program files\Real
2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-11 06:09 . 2009-06-11 06:09 152576 ----a-w- c:\documents and settings\Rob McConeghy\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-03 19:09 . 2004-08-10 17:51 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-25 07:24 . 2008-05-27 05:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-22 22:20 . 2009-05-22 22:20 34062 ----a-w- c:\documents and settings\Rob McConeghy\Application Data\Move Networks\ie_bin\Uninst.exe
2006-05-03 09:06 . 2009-07-04 23:53 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-07-04 23:54 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-07-04 23:54 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2008-12-12 132392]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-11-01 321040]
"SansaDispatch"="c:\documents and settings\Rob McConeghy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-03-31 79872]
"keyman.exe"="c:\program files\Tavultesoft\Keyman\keyman.exe" [2003-08-18 127632]
"GRC V2 Hyperappel"="c:\program files\Le Robert\The Collins-Robert French Dictionary\GRCHA.exe" [2008-07-08 193808]
"grwinHyper"="c:\program files\Le Robert\Le Grand Robert\grwinHyper.exe" [2009-01-05 1118208]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-13 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2006-01-13 311296]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2007-08-16 1807696]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"ScanSoft OmniPage 16-reminder"="c:\program files\ScanSoft\OmniPage16\Ereg\Ereg.exe" [2007-08-31 328992]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-11-06 570664]
"Broadcom Wireless Manager"="c:\windows\system32\wltray.exe" [2007-03-02 1282048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-27 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088]
"SGPUpdater"="c:\program files\Search Guard PlusU\sgpUpdaters.exe" [2009-05-15 67456]
"FBSearch"="c:\program files\Search Guard Plus\SearchGuardPlus.exe" [2009-05-04 194432]

c:\documents and settings\Rob McConeghy\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dynex Wireless Networking Utility.lnk - c:\program files\Dynex Enhanced G Desktop Card Adapter\DynexWCUI.exe [2009-2-25 1462272]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Le Robert\\The Collins-Robert French Dictionary\\GRCHA.exe"=
"c:\\Program Files\\Le Robert\\The Collins-Robert French Dictionary\\GRC2009.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\NewsBin\\nbpro.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [1/11/2008 5:50 PM 30312]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/9/2009 9:25 PM 232720]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/16/2007 4:28 AM 345432]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [11/9/2006 1:03 AM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [6/12/2007 5:00 AM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [11/9/2006 1:04 AM 566872]
R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [3/7/2008 1:58 PM 18864]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/9/2009 9:25 PM 19096]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [11/9/2006 1:03 AM 280392]
S1 b4784788;b4784788;c:\windows\system32\drivers\b4784788.sys [8/2/2009 4:38 AM 0]
S2 EvdoServer;EvdoServer;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 10:51 AM 14336]
S2 ias;Microsoft Security Services Management;c:\windows\System32\svchost.exe -k netsvcs [8/10/2004 10:51 AM 14336]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 10:31 PM 29263712]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-08-18 c:\windows\Tasks\Malwarebytes' Scheduled Update for Rob McConeghy.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-08-10 20:36]

2009-08-19 c:\windows\Tasks\User_Feed_Synchronization-{C62E19BF-5E80-4857-93E1-F462A0112FF0}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
- - - - ORPHANS REMOVED - - - -

BHO-{B7226DD0-3DCA-499D-A32E-A92ED4ECD803} - (no file)
BHO-{BFEC4FFD-9C0E-4B2E-A6C7-03A9437447D9} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ww2.cox.com/myconnection/arizona/home.cox
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: ameritrade.com
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrade.com
DPF: {0F7A9297-7268-11D1-B81A-00A076C01B0A} - hxxp://www.cartesianinc.com/Exec/CpcViewAX/CpcViewAX.cab
FF - ProfilePath - c:\documents and settings\Rob McConeghy\Application Data\Mozilla\Firefox\Profiles\default.gv3\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://cox.net
FF - component: c:\documents and settings\Rob McConeghy\Application Data\Mozilla\Firefox\Profiles\default.gv3\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 23:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SGPUpdater = c:\program files\Search Guard PlusU\sgpUpdaters.exe??o??????????????????????????????????????????????
FBSearch = c:\program files\Search Guard Plus\SearchGuardPlus.exe??????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2530875071-1565676100-3732942425-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1460)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3700)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wltrysvc.exe
c:\windows\system32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-08-19 0:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-19 07:02

Pre-Run: 160,222,306,304 bytes free
Post-Run: 160,499,064,832 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

329 --- E O F --- 2009-07-31 10:00

--------------------

miekiemoes, on Aug 18 2009, 04:06 AM, said:

Hi,

First of all, Please download and run WUS_Fix.exe: http://users.telenet...ols/WUS_Fix.exe
This should restore the default registry settings related with BITS and Automatic updates.

Then,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[miekiemoes]

Hi,

Combofix will be updated soon, that's why you get this error.

Anyway, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

File::
c:\windows\system32\drivers\b4784788.sys
Driver::
b4784788

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[Rob McC]

ok Combofix rerun as instructed
here is the new log
------------------------------------------
ComboFix 09-08-18.04 - Rob McConeghy 08/19/2009 16:03.2.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1124 [GMT -7:00]
Running from: c:\documents and settings\Rob McConeghy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rob McConeghy\Desktop\CFScript
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::
"c:\windows\system32\drivers\b4784788.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\1c910.msi
c:\windows\Installer\aa21b.msp
c:\windows\Installer\aa220.msp
c:\windows\Installer\aa223.msp
c:\windows\Installer\aa228.msp
c:\windows\system32\drivers\b4784788.sys
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mspmsnsv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6to4
-------\Legacy_ias
-------\Legacy_netcard
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_6to4
-------\Service_b4784788
-------\Service_ias


((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))
.

2009-08-19 06:46 . 2008-04-14 00:12 407040 ----a-w- c:\windows\system32\netlogon.dll
2009-08-16 01:50 . 2009-08-16 01:50 -------- d-----w- c:\program files\Search Guard PlusU
2009-08-16 01:50 . 2009-08-16 01:50 -------- d-----w- c:\program files\Search Guard Plus
2009-08-16 01:48 . 2009-08-16 01:48 -------- d-----w- C:\users
2009-08-11 07:55 . 2009-08-11 07:55 -------- d-----w- c:\program files\ERUNT
2009-08-10 22:19 . 2009-08-10 22:19 -------- d--h--w- c:\windows\PIF
2009-08-10 20:38 . 2009-08-10 20:42 -------- d-----w- C:\K
2009-08-10 12:47 . 2009-08-10 12:48 106942640 ----a-w- c:\documents and settings\Rob McConeghy\Application Data\SanDisk\Sansa Updater\Sansa Media Converter.EXE
2009-08-10 11:31 . 2009-08-10 11:31 152576 ----a-w- c:\documents and settings\Rob McConeghy\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-10 04:26 . 2009-08-10 04:26 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-10 04:26 . 2009-08-10 04:26 -------- d-----w- c:\documents and settings\Rob McConeghy\Application Data\Malwarebytes
2009-08-10 04:25 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 04:25 . 2009-08-10 04:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 04:25 . 2009-08-10 04:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 04:25 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-09 09:53 . 2009-08-09 10:03 -------- d-----w- c:\windows\system32\NtmsData
2009-08-09 07:33 . 2009-08-10 11:31 743621 ----a-w- c:\windows\system32\RPUpdates.zip
2009-08-09 07:13 . 1999-12-18 05:43 86016 ----a-w- c:\windows\unvise32.exe
2009-08-09 07:13 . 2009-08-09 07:15 -------- d-----w- c:\program files\RegistryPatrol3.0
2009-08-09 03:21 . 2009-08-09 03:21 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-03 02:52 . 2008-04-14 00:12 33280 ----a-w- c:\windows\system32\Copy of rundll32.exe
2009-08-02 12:41 . 2009-08-09 07:03 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-23 12:34 . 2009-07-23 12:36 -------- d-----w- c:\program files\Coupons
2009-07-23 12:34 . 2009-07-23 12:34 -------- d-----w- c:\windows\Cache
2009-07-22 21:53 . 2009-07-22 21:53 -------- d-----w- c:\program files\iPod
2009-07-22 21:52 . 2009-07-22 21:53 -------- d-----w- c:\program files\iTunes
2009-07-22 21:49 . 2009-07-22 21:49 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-19 21:04 . 2008-02-20 10:46 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-08-19 08:27 . 2009-06-14 03:21 -------- d-----w- c:\program files\Concordance
2009-08-11 08:56 . 2009-07-07 21:43 70572 ---ha-w- c:\windows\system32\mlfcache.dat
2009-08-11 07:59 . 2008-02-13 00:48 -------- d-----w- c:\program files\Trend Micro
2009-08-10 22:18 . 2008-10-12 02:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-10 22:13 . 2008-10-12 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-10 11:32 . 2008-02-13 00:40 -------- d-----w- c:\program files\Java
2009-08-09 07:58 . 2008-02-20 09:58 89472 ----a-w- c:\documents and settings\Rob McConeghy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-01 07:34 . 2008-08-10 09:14 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-29 10:13 . 2008-02-13 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-29 10:10 . 2008-03-07 21:26 -------- d-----w- c:\program files\Common Files\Merge Modules
2009-07-26 22:46 . 2009-05-08 12:00 597560 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-25 12:23 . 2008-12-02 20:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-22 21:54 . 2009-03-04 21:11 -------- d-----w- c:\program files\Safari
2009-07-22 21:53 . 2008-03-15 21:40 -------- d-----w- c:\program files\Common Files\Apple
2009-07-21 06:51 . 2009-07-20 10:45 -------- d-----w- c:\program files\Windows Desktop Search
2009-07-20 21:14 . 2009-07-20 21:14 -------- d-----w- c:\documents and settings\Rob McConeghy\Application Data\Windows Search
2009-07-20 10:46 . 2009-07-20 10:46 -------- d-----w- c:\documents and settings\Rob McConeghy\Application Data\Windows Desktop Search
2009-07-20 10:37 . 2008-02-13 00:53 -------- d-----w- c:\program files\Microsoft Works
2009-07-07 21:43 . 2008-03-15 21:41 -------- d-----w- c:\documents and settings\Rob McConeghy\Application Data\Apple Computer
2009-07-04 23:53 . 2009-07-04 23:53 -------- d-----w- c:\program files\eRightSoft
2009-07-03 17:09 . 2004-08-10 17:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-02 15:34 . 2008-04-24 17:05 -------- d-----w- c:\program files\MediaMonkey
2009-06-27 09:56 . 2008-07-10 20:36 -------- d-----w- c:\program files\Common Files\Real
2009-06-27 09:56 . 2009-06-27 09:56 -------- d-----w- c:\program files\Common Files\xing shared
2009-06-27 09:55 . 2009-06-27 09:55 -------- d-----w- c:\program files\Real
2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-11 06:09 . 2009-06-11 06:09 152576 ----a-w- c:\documents and settings\Rob McConeghy\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-03 19:09 . 2004-08-10 17:51 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-25 07:24 . 2008-05-27 05:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-22 22:20 . 2009-05-22 22:20 34062 ----a-w- c:\documents and settings\Rob McConeghy\Application Data\Move Networks\ie_bin\Uninst.exe
2006-05-03 09:06 . 2009-07-04 23:53 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-07-04 23:54 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-07-04 23:54 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-19_06.51.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-19 23:13 . 2009-08-19 23:13 16384 c:\windows\Temp\Perflib_Perfdata_204.dat
+ 2004-08-10 17:51 . 2009-08-19 20:08 562050 c:\windows\system32\perfh009.dat
- 2004-08-10 17:51 . 2009-08-19 06:06 562050 c:\windows\system32\perfh009.dat
+ 2004-08-10 17:51 . 2009-08-19 20:08 116888 c:\windows\system32\perfc009.dat
- 2004-08-10 17:51 . 2009-08-19 06:06 116888 c:\windows\system32\perfc009.dat
+ 2009-08-19 20:04 . 2009-08-19 20:04 258048 c:\windows\ERDNT\AutoBackup\8-19-2009\Users\00000002\UsrClass.dat
+ 2009-08-19 20:04 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\8-19-2009\ERDNT.EXE
+ 2009-08-19 20:04 . 2009-08-19 20:04 19165184 c:\windows\ERDNT\AutoBackup\8-19-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2008-12-12 132392]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-11-01 321040]
"SansaDispatch"="c:\documents and settings\Rob McConeghy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-03-31 79872]
"keyman.exe"="c:\program files\Tavultesoft\Keyman\keyman.exe" [2003-08-18 127632]
"GRC V2 Hyperappel"="c:\program files\Le Robert\The Collins-Robert French Dictionary\GRCHA.exe" [2008-07-08 193808]
"grwinHyper"="c:\program files\Le Robert\Le Grand Robert\grwinHyper.exe" [2009-01-05 1118208]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-13 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2006-01-13 311296]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2007-08-16 1807696]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"ScanSoft OmniPage 16-reminder"="c:\program files\ScanSoft\OmniPage16\Ereg\Ereg.exe" [2007-08-31 328992]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-11-06 570664]
"Broadcom Wireless Manager"="c:\windows\system32\wltray.exe" [2007-03-02 1282048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-27 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088]
"SGPUpdater"="c:\program files\Search Guard PlusU\sgpUpdaters.exe" [2009-05-15 67456]
"FBSearch"="c:\program files\Search Guard Plus\SearchGuardPlus.exe" [2009-05-04 194432]

c:\documents and settings\Rob McConeghy\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dynex Wireless Networking Utility.lnk - c:\program files\Dynex Enhanced G Desktop Card Adapter\DynexWCUI.exe [2009-2-25 1462272]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Le Robert\\The Collins-Robert French Dictionary\\GRCHA.exe"=
"c:\\Program Files\\Le Robert\\The Collins-Robert French Dictionary\\GRC2009.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\NewsBin\\nbpro.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R?2 EvdoServer;EvdoServer;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 10:51 AM 14336]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [1/11/2008 5:50 PM 30312]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/9/2009 9:25 PM 232720]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/16/2007 4:28 AM 345432]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [11/9/2006 1:03 AM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [6/12/2007 5:00 AM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [11/9/2006 1:04 AM 566872]
R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [3/7/2008 1:58 PM 18864]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/9/2009 9:25 PM 19096]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [11/9/2006 1:03 AM 280392]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 10:31 PM 29263712]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-08-19 c:\windows\Tasks\Malwarebytes' Scheduled Update for Rob McConeghy.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-08-10 20:36]

2009-08-19 c:\windows\Tasks\User_Feed_Synchronization-{C62E19BF-5E80-4857-93E1-F462A0112FF0}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ww2.cox.com/myconnection/arizona/home.cox
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: ameritrade.com
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrade.com
DPF: {0F7A9297-7268-11D1-B81A-00A076C01B0A} - hxxp://www.cartesianinc.com/Exec/CpcViewAX/CpcViewAX.cab
FF - ProfilePath - c:\documents and settings\Rob McConeghy\Application Data\Mozilla\Firefox\Profiles\default.gv3\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://cox.net
FF - component: c:\documents and settings\Rob McConeghy\Application Data\Mozilla\Firefox\Profiles\default.gv3\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-19 16:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SGPUpdater = c:\program files\Search Guard PlusU\sgpUpdaters.exe??o??????????????????????????????????????????????
FBSearch = c:\program files\Search Guard Plus\SearchGuardPlus.exe??????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2530875071-1565676100-3732942425-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1460)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3792)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wltrysvc.exe
c:\windows\system32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-08-19 16:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-19 23:27
ComboFix2.txt 2009-08-19 07:02

Pre-Run: 160,374,738,944 bytes free
Post-Run: 160,093,745,152 bytes free

304

-------------------------------------------

miekiemoes, on Aug 19 2009, 12:30 AM, said:

Hi,

Combofix will be updated soon, that's why you get this error.

Anyway, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:



Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[miekiemoes]

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[Rob McC]

Everything seems to be working well now.
I still could not delete the old SpybotSD.exe file normally
but I deleted it with FileAssasin without any problem.

Thanks so much for your expert help !
You folks are amazing !

Rob
-------------------

miekiemoes, on Aug 20 2009, 02:12 AM, said:

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[miekiemoes]

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.