9 replies to this topic

[DebS]

Greetings Forum!

Unfortunately I've been through this before, but hopefully I've cleaned my computer. Once again my spouse infected the computer with malware, this one was pretend security that looks like windows security. None of my antivirus or anti-malware programs would work, system restore points were missing, and both mozilla and ie browsers were hijacked to rougue antivirus/malware sites. You know the drill.

So I got myself into this forum and downloaded combofix and ran it. After the reboot step it stalled (over an hour) so I rebooted agin, but once I did NAV found "packed.generic.200" on the C drive. I guess Combofix fixed something before it stalled. I wrote down these file names before the first reboot:
C:\Windows\system32\drivers\UACxrxhxvnmbn.sys
C:\Windows\system32\UACmwqvdymtyp.dll
C:\Windows\system32\UACbpjwchvxtu.dll
C:\Windows\system32\UACfybwenppaf.dat
C:\Windows\system32\UACwadljwljsp.dll
C:\Windows\system32\UACiqqfalnosc.dll


At this point I was able to update and run MBAM. It found

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACbpjwchvxtu.dll.vir (Trojan.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACiqqfalnosc.dll.vir (Rootkit.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wscsvc32.exe.vir (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP154\A0045781.dll (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP154\A0045783.dll (Rootkit.TDSS) -> No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP154\A0045811.dll (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP154\A0046016.exe (Trojan.FakeAlert) -> No action taken.

I cleaned these, disabled system restore, and updated and did a full scan with NAV. It found these same viruses on my G drive. I cleaned them off too. BIG QUESTION: Does MBAM scan all drives? I thought it did and I was surprised to find these on the G drive.

So then I disabled NAV and Teatimer, and ran MBAM and Hijack This. Here are the latest logs.

Malwarebytes' Anti-Malware 1.41
Database version: 2782
Windows 5.1.2600 Service Pack 3

9/12/2009 12:11:00 PM
mbam-log-2009-09-12 (12-11-00).txt

Scan type: Quick Scan
Objects scanned: 108188
Time elapsed: 15 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:51 AM, on 9/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;*.local
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.netscape.com/index2.psp"); (C:\Documents and Settings\SIWIKMULLER\Application Data\Mozilla\Profiles\default\oxa42qqy.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\SIWIKMULLER\Application Data\Mozilla\Profiles\default\oxa42qqy.slt\prefs.js)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Netscape - {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - C:\WINDOWS\DOWNLO~1\netscape.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Netscape - {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - C:\WINDOWS\DOWNLO~1\netscape.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} (Netscape) - http://downloads.net...ar/netscape.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195748364906
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7745 bytes



Am I clean yet? Thanks for all your hard work.

[negster22]

Hello DebS,

Quote

BIG QUESTION: Does MBAM scan all drives? I thought it did and I was surprised to find these on the G drive.

The complete scan gives a pop-up dialog with option to check all installed drives.

Your HJT log is clean but shows a vulnerable version of Java running at startup.

Your MBAM log is clean now - it only shows Combofix quarantined threats and SR data sequestered threats

A word of warning - please do not run Combofix unattended and honor the alert/disclaimer provided by the developer sUBs which is displayed when you run the program. You had a tdss rootkit variant (UAC) which CF probably removed but I will need to see the log to verify that.

Please post C:\Combofix.txt

Your HJT log shows that you have an ancient and vulnerable version of the Java (JRE) installed which may be the source of your infections.

Please update the Sun Java Platform (JRE) to the newest version which is Java Runtime Environment (JRE) 6 Update 16.

You can check your currently installed JRE version here.

1. Download the latest JRE version at the http://java.sun.com/...loads/index.jsp Sun Microsystem's website
2. Select the option that says: "Java SE Runtime Environment (JRE) JRE 6 Update 16" This special release provides a few key fixes", and click Download button.
3. Select your platform: Windows, in the pull down menu.
4. Check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement."
5. Click Continue.
6. Under the Windows Platform - Java ™ SE Runtime Environment 6 Update 16 section, click on the link to download the Windows Offline Installation and save the installer to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Next, remove all older versions of the Sun Java Platform using the Control Panel's Add/Remove Program feature (as they may contain security vulnerabilities).
9. Reboot your system
10. Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version of the Sun Java Platform
12. Ifhe Yahoo Toolbar is prechecked for installation be sure to UNCHECK it, if you do not care to have it, or already have it installed - it is not part of the JRE install and totally unnecessary.
13. You may verify that the current version installed properly by clicking http://java.com/en/d...d/installed.jsp here.

Now clear the Java cache:

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

• On the General tab, under Temporary Internet Files, click the Settings button.
  
  
• Next, click on the Delete Files button
  
  
• There are two options in the window to clear the cache - Leave BOTH Checked
  • Applications and Applets
    
    
  • Trace and Log Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  
  
• Click OK to leave the Temporary Files Window
  
  
• Click OK to leave the Java Control Panel.

-

Post a new HJT log and the Combofix log please.

[DebS]

Hi neqster22, thanks for your help.

ComboFix 09-09-11.01 - SiwikMuller 09/11/2009 19:29.5.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.621 [GMT -4:00]
Running from: c:\documents and settings\SiwikMuller\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\CpnMgr.dll
c:\windows\Installer\18bee.msi
c:\windows\Installer\3332e.msp
c:\windows\Installer\33335.msp
c:\windows\Installer\3c02a4.msp
c:\windows\Installer\3f2802.msp
c:\windows\Installer\3f2803.msp
c:\windows\Installer\3f2804.msp
c:\windows\Installer\3f2805.msp
c:\windows\Installer\3f2806.msp
c:\windows\Installer\3f2807.msp
c:\windows\Installer\3f2808.msp
c:\windows\Installer\3f2809.msp
c:\windows\Installer\3f280a.msp
c:\windows\Installer\45a8c3.msp
c:\windows\Installer\45a8c4.msp
c:\windows\Installer\45a8c5.msp
c:\windows\Installer\45a8c6.msp
c:\windows\Installer\45a8c7.msp
c:\windows\Installer\45a8c8.msp
c:\windows\Installer\45a8c9.msp
c:\windows\Installer\45a8ca.msp
c:\windows\Installer\45a8cb.msp
c:\windows\Installer\45a8cc.msp
c:\windows\Installer\47511a.msp
c:\windows\Installer\8215c.msp
c:\windows\Installer\WMEncoder.msi
c:\windows\system32\uacinit.dll
c:\windows\system32\wscsvc32.exe
c:\windows\UA000035.DLL

.
((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))
.

2009-09-11 18:10 . 2009-09-11 18:10 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-08 22:46 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-07 12:56 . 2009-09-07 13:29 -------- d-----w- c:\documents and settings\SiwikMuller\Application Data\DivX
2009-09-07 12:54 . 2009-09-07 12:54 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-30 21:24 . 2009-08-30 21:29 -------- d-----w- c:\program files\eGames
2009-08-30 21:23 . 2000-03-21 04:55 118784 ----a-w- c:\windows\system32\vbalNCSM6.dll
2009-08-30 21:23 . 1999-02-19 12:54 40960 ----a-w- c:\windows\system32\SSubTmr6.dll
2009-08-20 23:52 . 2009-08-28 01:30 -------- d-----w- c:\documents and settings\SiwikMuller\Application Data\HpUpdate
2009-08-20 23:52 . 2009-08-20 23:52 -------- d-----w- c:\windows\Hewlett-Packard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 22:26 . 2009-03-07 19:18 -------- d-----w- c:\documents and settings\SiwikMuller\Application Data\Move Networks
2009-09-07 12:55 . 2009-09-07 12:54 -------- d-----w- c:\program files\DivX
2009-09-05 23:09 . 2003-07-09 01:32 -------- d-----w- c:\program files\NavNT
2009-09-05 21:12 . 2009-01-28 03:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 09:01 . 2004-09-06 13:47 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 17:36 . 2009-01-28 03:52 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-01-28 03:52 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-31 22:13 . 2009-07-31 22:12 -------- d-----w- c:\program files\iTunes
2009-07-31 22:12 . 2005-04-30 19:52 -------- d-----w- c:\program files\iPod
2009-07-31 22:12 . 2007-12-01 21:23 -------- d-----w- c:\program files\Common Files\Apple
2009-07-31 21:31 . 2003-07-08 23:50 37184 ----a-w- c:\documents and settings\SiwikMuller\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-31 12:08 . 2009-07-31 00:48 -------- d-----w- c:\program files\Windows Desktop Search
2009-07-31 12:08 . 2009-07-31 01:17 -------- d-----w- c:\program files\Windows Live
2009-07-31 12:08 . 2009-07-31 01:26 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-31 01:37 . 2009-07-31 01:37 102384 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-31 01:36 . 2009-07-31 01:36 -------- d-----w- c:\program files\MSBuild
2009-07-31 01:36 . 2009-07-31 01:36 -------- d-----w- c:\program files\Reference Assemblies
2009-07-31 01:20 . 2009-07-31 01:20 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-07-31 00:49 . 2009-07-31 00:49 -------- d-----w- c:\program files\Common Files\Windows Live
2009-07-30 00:09 . 2009-07-30 00:09 -------- d-----w- c:\documents and settings\SiwikMuller\Application Data\IObit
2009-07-30 00:09 . 2007-11-22 01:57 -------- d-----w- c:\program files\IObit
2009-07-26 00:46 . 2007-02-14 02:38 -------- d-----w- c:\documents and settings\SiwikMuller\Application Data\Image Zone Express
2009-07-17 19:01 . 2004-09-06 13:48 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 02:27 . 2005-04-30 19:56 -------- d-----w- c:\documents and settings\SiwikMuller\Application Data\Apple Computer
2009-07-14 03:43 . 2004-09-06 13:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 00:17 . 2009-09-07 12:55 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-07-14 00:17 . 2009-09-07 12:55 129784 ------w- c:\windows\system32\pxafs.dll
2009-07-14 00:17 . 2009-09-07 12:55 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-07-14 00:17 . 2009-09-07 12:55 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-07-14 00:17 . 2002-12-17 17:32 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-07-14 00:17 . 2002-12-17 17:32 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-07-14 00:15 . 2009-07-14 00:15 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-07-14 00:15 . 2009-07-14 00:15 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-07-14 00:15 . 2009-07-14 00:15 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-07-14 00:15 . 2009-07-14 00:15 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-07-14 00:15 . 2009-07-14 00:15 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-07-14 00:15 . 2009-07-14 00:15 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-07-14 00:15 . 2009-07-14 00:15 685056 ----a-w- c:\windows\system32\DivX.dll
2009-07-03 17:09 . 2004-09-06 13:46 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2004-09-06 13:46 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2002-08-29 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2006-05-06 18:24 . 2006-05-06 18:24 5037072 ----a-w- c:\program files\spybotsd14.exe
2006-05-06 18:23 . 2006-05-06 18:23 7984736 ----a-w- c:\program files\ewido-setup.exe
2006-05-06 18:21 . 2006-05-06 18:21 282823 ----a-w- c:\program files\SmitfraudFix.zip
2006-05-03 15:46 . 2006-05-06 15:10 218112 ----a-w- c:\program files\HijackThis.exe
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 278528]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy2\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"vptray"="c:\program files\NavNT\vptray.exe" [2000-10-09 53248]
"Disk Monitor"="c:\program files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe" [2003-10-28 438784]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-25 185896]
"UVS10 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe" [2006-03-07 36864]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2009-1-24 49254]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-29 113664]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-2-4 1528880]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPager.exe"= c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\Yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 ATMhelpr;ATMhelpr;c:\windows\SYSTEM32\DRIVERS\ATMHELPR.SYS [7/9/2003 8:07 PM 4064]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

--- Other Services/Drivers In Memory ---

*Deregistered* - NAVAP
*Deregistered* - NAVENG
*Deregistered* - NAVEX15

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2009-09-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = hxxp://localhost;*.local
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\SiwikMuller\Application Data\Mozilla\Firefox\Profiles\7ipgivmu.default\
FF - plugin: c:\documents and settings\SiwikMuller\Application Data\Move Networks\plugins\npqmp071504000001.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Protection System - c:\program files\Protection System\psystem.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-11 19:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\windows\System32\NavLogon.dll
.
Completion time: 2009-09-11 19:46
ComboFix-quarantined-files.txt 2009-09-11 23:45
ComboFix2.txt 2009-01-29 01:40

Pre-Run: 12,089,675,776 bytes free
Post-Run: 12,039,958,528 bytes free

234 --- E O F --- 2009-09-10 23:50

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:07 PM, on 9/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;*.local
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.o...zing.html#prefs
*/

user_pref("DebsRik.aim.filexfer.location", "");
user_pref("DebsRik.aim.general.im.enterCR", false);
user_pref("DebsRik.aim.general.im.smilies", true);
user_pref("DebsRik.aim.general.im.tabKey", false);
user_pref("DebsRik.aim.general.im.timeStamp", false);
user_pref("DebsRik.aim.general.snsautosignon", false);
user_pref("DebsRik.aim.general.today", true);
user_pref("DebsRik.aim.mail.presence", true);
user_pref("DebsRik.aim.session.autologin", false);
user_pref("DebsRik.aim.session.connectionname", "AIM");
user_pref("DebsRik.aim.session.firstsignon", false);
user_pref("DebsRik.aim.session.password", "0R2R0cmZi");
user_pref("DebsRik.aim.session.storepass
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.o...zing.html#prefs
*/

user_pref("DebsRik.aim.filexfer.location", "");
user_pref("DebsRik.aim.general.im.enterCR", false);
user_pref("DebsRik.aim.general.im.smilies", true);
user_pref("DebsRik.aim.general.im.tabKey", false);
user_pref("DebsRik.aim.general.im.timeStamp", false);
user_pref("DebsRik.aim.general.snsautosignon", false);
user_pref("DebsRik.aim.general.today", true);
user_pref("DebsRik.aim.mail.presence", true);
user_pref("DebsRik.aim.session.autologin", false);
user_pref("DebsRik.aim.session.connectionname", "AIM");
user_pref("DebsRik.aim.session.firstsignon", false);
user_pref("DebsRik.aim.session.password", "0R2R0cmZi");
user_pref("DebsRik.aim.session.storepass
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Netscape - {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - C:\WINDOWS\DOWNLO~1\netscape.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Netscape - {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - C:\WINDOWS\DOWNLO~1\netscape.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_16.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_16.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} (Netscape) - http://downloads.net...ar/netscape.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195748364906
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9967 bytes


I do have one thing to add. Since I cleaned the infection, at boot up I get an error message "The security information is invalid or has been modified. This program will be terminated." There's no obvious indication what program it is, but the little logo looks like the Lexar Media USB Card Reader Driver v2.1g. It would be no problem to remove it and reload it.

Thanks
D

[negster22]

Your Combofix log looks pretty clean. There are some locked registry keys and a few files you can remove but nothing malicious still. Before we script those, can you please post back this log from a previous Combofix run:
C:\Combofix2.txt

From your current CF run, I see you had evidence of the UAC rootkit in tow but I am not seeing that CF removed the UAC driver in the log you showed me.

That message you mentioned maybe from your card reader if not, it may be from this program:
"c:\program files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe" [2006-03-07 36864]

You may want to investigate that also. Do you have an expired trial of that software?

[DebS]

I Ulead program was a trial version, I'll clean that off too.



ComboFix 09-01-21.04 - SiwikMuller 2009-01-28 20:28:11.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.596 [GMT -5:00]
Running from: c:\documents and settings\SiwikMuller\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\SiwikMuller\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\sfzauymb.wdf
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SFZAUYMB
-------\Service_SFZAUYMB


((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-29 )))))))))))))))))))))))))))))))
.

2009-01-27 23:29 . 2009-01-27 23:29 <DIR> d-------- c:\program files\Trend Micro
2009-01-27 23:25 . 2009-01-27 23:25 250 --a------ c:\windows\gmer.ini
2009-01-27 23:15 . 2009-01-27 23:15 <DIR> d-------- c:\documents and settings\SiwikMuller\Application Data\Malwarebytes
2009-01-27 22:52 . 2009-01-27 22:52 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-27 22:52 . 2009-01-27 22:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-27 22:52 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-27 22:52 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-27 22:10 . 2009-01-27 22:10 164 --a------ C:\install.dat
2009-01-27 19:22 . 2009-01-27 19:22 5,566 --a------ c:\windows\SYSTEM32\uacinit.dll
2009-01-24 10:32 . 2009-01-24 10:32 <DIR> d-------- c:\windows\SYSTEM32\Adobe
2009-01-24 10:32 . 2009-01-24 10:32 <DIR> d-------- c:\documents and settings\SiwikMuller\Application Data\InterTrust
2009-01-24 10:32 . 2001-03-15 04:55 101,200 --------- c:\windows\SYSTEM32\pdfshell.dll
2009-01-24 10:32 . 2001-03-15 05:18 65,536 --------- c:\windows\SYSTEM32\adistres.dll
2009-01-24 10:32 . 2001-03-15 05:18 20,584 --------- c:\windows\SYSTEM32\PdfPorts.dll
2009-01-21 21:50 . 2009-01-25 15:20 <DIR> d-------- c:\program files\Spybot - Search & Destroy2
2009-01-10 15:24 . 2009-01-10 15:25 <DIR> d-------- c:\program files\iTunes
2009-01-10 15:24 . 2009-01-10 15:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-10 15:21 . 2009-01-10 15:21 <DIR> d-------- c:\program files\QuickTime
2009-01-03 10:45 . 2009-01-03 10:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-03 10:44 . 2009-01-03 10:44 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-28 05:02 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-24 22:01 --------- d-----w c:\documents and settings\SiwikMuller\Application Data\Image Zone Express
2009-01-24 15:32 --------- d-----w c:\program files\Common Files\Adobe
2009-01-24 15:09 --------- d-----w c:\program files\Docudesk
2009-01-22 02:39 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-22 01:25 --------- d-----w c:\program files\NavNT
2009-01-10 20:24 --------- d-----w c:\program files\iPod
2009-01-10 20:24 --------- d-----w c:\program files\Common Files\Apple
2009-01-03 15:45 --------- d-----w c:\program files\Lavasoft
2009-01-03 15:45 --------- d-----w c:\documents and settings\SiwikMuller\Application Data\Lavasoft
2008-12-20 15:22 --------- d-----w c:\documents and settings\SiwikMuller\Application Data\deskPDF
2008-12-19 02:50 --------- d-----w c:\program files\Avery
2008-12-13 16:19 --------- d-----w c:\documents and settings\SiwikMuller\Application Data\Amazon
2008-12-13 16:18 --------- d-----w c:\program files\Amazon
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2006-05-06 18:24 5,037,072 ----a-w c:\program files\spybotsd14.exe
2006-05-06 18:23 7,984,736 ----a-w c:\program files\ewido-setup.exe
2006-05-06 18:21 282,823 ----a-w c:\program files\SmitfraudFix.zip
2006-05-03 15:46 218,112 ----a-w c:\program files\HijackThis.exe
2008-09-17 03:08 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008091620080917\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-27_23.11.44.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-01-28 04:25:52 884,736 ----a-w c:\windows\gmer.dll
+ 2009-01-27 01:16:30 811,008 ----a-w c:\windows\gmer.exe
+ 2004-07-15 03:36:08 200,704 ----a-w c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW1196\_aspnet_isapi.dll
+ 2004-07-15 02:50:22 69,632 ----a-w c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW1196\_CORPerfMonExt.dll
+ 2004-07-15 02:48:20 233,472 ----a-w c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW1196\_fusion.dll
+ 2004-07-15 02:48:28 303,104 ----a-w c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW1196\_mscorjit.dll
+ 2004-07-15 15:05:34 1,998,848 ----a-w c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW1196\_mscorlib.dll
+ 2004-07-15 02:50:34 69,632 ----a-w c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW1196\_mscorsn.dll
+ 2004-07-15 02:49:06 2,265,088 ----a-w c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW1196\_mscorsvr.dll
+ 2004-07-15 02:49:54 2,269,184 ----a-w c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW1196\_mscorwks.dll
+ 2002-01-05 08:37:28 344,064 ----a-w c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW1196\_msvcr70.dll
+ 2004-07-15 03:33:30 20,480 ----a-w c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW1196\_PerfCounter.dll
+ 2004-07-15 03:36:08 200,704 ----a-w c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW1296\_aspnet_isapi.dll
+ 2004-07-15 02:50:22 69,632 ----a-w c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW1296\_CORPerfMonExt.dll
+ 2004-07-15 02:48:20 233,472 ----a-w c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW1296\_fusion.dll
+ 2004-07-15 02:48:28 303,104 ----a-w c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW1296\_mscorjit.dll
+ 2004-07-15 15:05:34 1,998,848 ----a-w c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW1296\_mscorlib.dll
+ 2004-07-15 02:50:34 69,632 ----a-w c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW1296\_mscorsn.dll
+ 2004-07-15 02:49:06 2,265,088 ----a-w c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW1296\_mscorsvr.dll
+ 2004-07-15 02:49:54 2,269,184 ----a-w c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW1296\_mscorwks.dll
+ 2002-01-05 08:37:28 344,064 ----a-w c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW1296\_msvcr70.dll
+ 2004-07-15 03:33:30 20,480 ----a-w c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW1296\_PerfCounter.dll
+ 2009-01-28 04:25:52 85,969 ----a-w c:\windows\SYSTEM32\DRIVERS\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 278528]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy2\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"vptray"="c:\program files\NavNT\vptray.exe" [2000-10-09 53248]
"Disk Monitor"="c:\program files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe" [2003-10-28 438784]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-24 185896]
"UVS10 Preload"="c:\program files\Ulead Systems\Ulead Movie Wizard 3.2 SE VCD\uvPL.exe" [2006-08-09 36864]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2009-01-24 49254]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-02-04 1528880]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPager.exe"= c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\Yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 ATMhelpr;ATMhelpr;c:\windows\SYSTEM32\DRIVERS\ATMHELPR.SYS [2003-07-09 4064]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
.
Contents of the 'Scheduled Tasks' folder

2009-01-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = hxxp://localhost;*.local
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-28 20:34:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\windows\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\NavNT\defwatch.exe
c:\program files\NavNT\rtvscan.exe
c:\windows\SYSTEM32\HPZipm12.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\SYSTEM32\MSGSYS.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-01-28 20:40:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-29 01:40:05
ComboFix2.txt 2009-01-28 04:13:20

Pre-Run: 18,285,686,784 bytes free
Post-Run: 18,187,313,152 bytes free

200 --- E O F --- 2009-01-28 05:22:23

[negster22]

First, disable Spybot's TeaTimer or any fixes we make will be reversed. This is a two step process.

First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident

Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
Uncheck the following:Resident "TeaTimer" (Protection of over-all system settings) Active.

You can re-enable TeaTimer when we are completely finished.

Running a CFScript

Next, open Notepad.

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

KillAll::

File::
c:\program files\spybotsd14.exe
c:\program files\ewido-setup.exe
c:\program files\SmitfraudFix.zip

RegUnlock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

Save this to your desktop as CFScript.txt by selecting File -> Save as.



Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!!

Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdsk or any scanners. If Windows is in the middle of updating and it needs to reboot to finish the updating process, allow it to complete that first - before attempting to run Combofix.

Referring to the picture above, drag CFScript.txt into Combo-Fix.exe

This will cause ComboFix to run again.

Please post back the log that is opens when it finishes.

Please perform a scan with the ESET online virus scanner. You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry:
http://www.eset.com/...escan/index.php

• ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's Guard and any antispyware or HIPS programs you are running.
  
• Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
  
• Check the "Yes, I accept the terms of use" box.
  
• Click "Start"
  
• Check the boxes the following two boxes:
  • enable "Remove found threats"
    
  • Scan unwanted applications
• Click the Scan button to begin scanning.
  
• When the scan is done the log is automatically saved. To retrieve it
  • Close the ESET scan Window.
    
  • Now open a run line by clicking Start >> Run...
    
  • Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box:
    
  • The Scan results will now display in Notepad
• Please copy and paste the ESET scan report that can be found in this location
  C:\Program Files\EsetOnlineScanner\log.txt into your next reply

Note to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

Please post in your next reply:
C:\Combofix.txt
C:\Program Files\EsetOnlineScanner\log.txt

[DebS]

ESETSmartInstaller@High as downloader log:
all ok
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=f063d27d5ad97f4faf59b88ec4973414
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2009-09-15 02:26:35
# local_time=2009-09-14 10:26:35 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 62 40 16 1952672157343750
# compatibility_mode=5889 61 66 100 903852395625000
# scanned=86594
# found=10
# cleaned=10
# scan_time=2460
C:\Documents and Settings\SiwikMuller\.jpi_cache\file\1.0\SecurityClassLoader.class-6fd9f626-7e4c5a4e.class Win32/Adware.CWS.gen application (cleaned by deleting - quarantined) 8A3DC02AF24242393EB9C9B5E2B29121 C
C:\Documents and Settings\SiwikMuller\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-1a434e1-4abe8cb9.class Java/TrojanDownloader.OpenStream.NAC trojan (cleaned by deleting - quarantined) DBEE24E93B7EFBC279DAA14F64E9575E C
C:\Documents and Settings\SiwikMuller\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-42a3cd7b-2f8c1339.class Java/TrojanDownloader.OpenStream.NAC trojan (cleaned by deleting - quarantined) DBEE24E93B7EFBC279DAA14F64E9575E C
C:\Documents and Settings\SiwikMuller\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-46e8eeba-32b2f9a8.class Java/TrojanDownloader.OpenStream.NAC trojan (cleaned by deleting - quarantined) DBEE24E93B7EFBC279DAA14F64E9575E C
C:\Documents and Settings\SiwikMuller\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-48db91fd-380df206.class Java/TrojanDownloader.OpenStream.NAC trojan (cleaned by deleting - quarantined) DBEE24E93B7EFBC279DAA14F64E9575E C
C:\Documents and Settings\SiwikMuller\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-7e718e96-642f9a01.class Java/TrojanDownloader.OpenStream.NAC trojan (cleaned by deleting - quarantined) DBEE24E93B7EFBC279DAA14F64E9575E C
C:\Documents and Settings\SiwikMuller\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-93e706-257f5bbf.class Java/TrojanDownloader.OpenStream.NAC trojan (cleaned by deleting - quarantined) DBEE24E93B7EFBC279DAA14F64E9575E C
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application (deleted - quarantined) E0D92AC5FDD264E4ED40D45C75934F1B C
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000163.EXE Win32/Adware.WBug.A application (deleted - quarantined) E0D92AC5FDD264E4ED40D45C75934F1B C
C:\WINDOWS\Downloaded Program Files\netscape.dll probably a variant of Win32/Adware.Toolbar.PowerSearch application (cleaned by deleting - quarantined) 56ADC690A58D94E5C37951922A901142 C

ComboFix 09-09-14.02 - SiwikMuller 09/14/2009 21:05.6.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.600 [GMT -4:00]
Running from: c:\documents and settings\SiwikMuller\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\SiwikMuller\Desktop\CFScript.txt

FILE ::
"c:\program files\ewido-setup.exe"
"c:\program files\SmitfraudFix.zip"
"c:\program files\spybotsd14.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\ewido-setup.exe
c:\program files\SmitfraudFix.zip
c:\program files\spybotsd14.exe

.
((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 )))))))))))))))))))))))))))))))
.

2009-09-13 23:24 . 2009-09-13 23:24 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-13 01:17 . 2009-09-13 01:18 -------- d-----w- c:\program files\QuickTime
2009-09-11 23:28 . 2009-09-11 23:46 -------- d-----w- C:\Combo-Fix
2009-09-11 18:10 . 2009-09-11 18:10 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-08 22:46 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-07 12:56 . 2009-09-07 13:29 -------- d-----w- c:\documents and settings\SiwikMuller\Application Data\DivX
2009-09-07 12:54 . 2009-09-07 12:54 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-30 21:24 . 2009-08-30 21:29 -------- d-----w- c:\program files\eGames
2009-08-30 21:23 . 2000-03-21 04:55 118784 ----a-w- c:\windows\system32\vbalNCSM6.dll
2009-08-30 21:23 . 1999-02-19 12:54 40960 ----a-w- c:\windows\system32\SSubTmr6.dll
2009-08-20 23:52 . 2009-08-28 01:30 -------- d-----w- c:\documents and settings\SiwikMuller\Application Data\HpUpdate
2009-08-20 23:52 . 2009-08-20 23:52 -------- d-----w- c:\windows\Hewlett-Packard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-14 12:53 . 2008-11-02 20:50 -------- d-----w- c:\program files\Ulead Systems
2009-09-14 12:52 . 2008-11-02 20:50 -------- d-----w- c:\program files\Common Files\Ulead Systems
2009-09-14 12:52 . 2008-11-02 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2009-09-14 12:52 . 2003-07-01 18:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-13 23:24 . 2004-08-01 21:22 -------- d-----w- c:\program files\Java
2009-09-13 01:13 . 2007-12-01 21:23 -------- d-----w- c:\program files\Common Files\Apple
2009-09-12 03:02 . 2003-07-09 01:32 -------- d-----w- c:\program files\NavNT
2009-09-12 02:43 . 2009-01-22 02:50 -------- d-----w- c:\program files\Spybot - Search & Destroy2
2009-09-12 00:22 . 2009-01-28 03:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-10 18:54 . 2009-01-28 03:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-01-28 03:52 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-07 22:26 . 2009-03-07 19:18 -------- d-----w- c:\documents and settings\SiwikMuller\Application Data\Move Networks
2009-09-07 12:55 . 2009-09-07 12:54 -------- d-----w- c:\program files\DivX
2009-08-05 09:01 . 2004-09-06 13:47 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 22:13 . 2009-07-31 22:12 -------- d-----w- c:\program files\iTunes
2009-07-31 22:12 . 2005-04-30 19:52 -------- d-----w- c:\program files\iPod
2009-07-31 21:31 . 2003-07-08 23:50 37184 ----a-w- c:\documents and settings\SiwikMuller\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-31 12:08 . 2009-07-31 00:48 -------- d-----w- c:\program files\Windows Desktop Search
2009-07-31 12:08 . 2009-07-31 01:17 -------- d-----w- c:\program files\Windows Live
2009-07-31 12:08 . 2009-07-31 01:26 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-31 01:37 . 2009-07-31 01:37 102384 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-31 01:36 . 2009-07-31 01:36 -------- d-----w- c:\program files\MSBuild
2009-07-31 01:36 . 2009-07-31 01:36 -------- d-----w- c:\program files\Reference Assemblies
2009-07-31 01:20 . 2009-07-31 01:20 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-07-31 00:49 . 2009-07-31 00:49 -------- d-----w- c:\program files\Common Files\Windows Live
2009-07-30 00:09 . 2009-07-30 00:09 -------- d-----w- c:\documents and settings\SiwikMuller\Application Data\IObit
2009-07-30 00:09 . 2007-11-22 01:57 -------- d-----w- c:\program files\IObit
2009-07-26 00:46 . 2007-02-14 02:38 -------- d-----w- c:\documents and settings\SiwikMuller\Application Data\Image Zone Express
2009-07-17 19:01 . 2004-09-06 13:48 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 02:27 . 2005-04-30 19:56 -------- d-----w- c:\documents and settings\SiwikMuller\Application Data\Apple Computer
2009-07-14 03:43 . 2004-09-06 13:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 00:17 . 2009-09-07 12:55 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-07-14 00:17 . 2009-09-07 12:55 129784 ------w- c:\windows\system32\pxafs.dll
2009-07-14 00:17 . 2009-09-07 12:55 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-07-14 00:17 . 2009-09-07 12:55 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-07-14 00:17 . 2002-12-17 17:32 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-07-14 00:17 . 2002-12-17 17:32 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-07-14 00:15 . 2009-07-14 00:15 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-07-14 00:15 . 2009-07-14 00:15 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-07-14 00:15 . 2009-07-14 00:15 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-07-14 00:15 . 2009-07-14 00:15 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-07-14 00:15 . 2009-07-14 00:15 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-07-14 00:15 . 2009-07-14 00:15 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-07-14 00:15 . 2009-07-14 00:15 685056 ----a-w- c:\windows\system32\DivX.dll
2009-07-03 17:09 . 2004-09-06 13:46 915456 ----a-w- c:\windows\system32\wininet.dll
2006-05-03 15:46 . 2006-05-06 15:10 218112 ----a-w- c:\program files\HijackThis.exe
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-11_23.43.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-15 01:12 . 2009-09-15 01:12 16384 c:\windows\temp\Perflib_Perfdata_45c.dat
+ 2009-09-13 23:24 . 2009-09-13 23:24 149280 c:\windows\SYSTEM32\javaws.exe
+ 2009-09-13 23:24 . 2009-09-13 23:24 145184 c:\windows\SYSTEM32\javaw.exe
+ 2009-09-13 23:24 . 2009-09-13 23:24 145184 c:\windows\SYSTEM32\java.exe
+ 2009-09-13 23:24 . 2009-09-13 23:24 537600 c:\windows\Installer\9a340.msi
+ 2009-09-13 01:13 . 2009-09-13 01:13 694272 c:\windows\Installer\1466063.msi
+ 2009-09-13 01:18 . 2009-09-13 01:18 9013760 c:\windows\Installer\14662ee.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 278528]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"vptray"="c:\program files\NavNT\vptray.exe" [2000-10-09 53248]
"Disk Monitor"="c:\program files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe" [2003-10-28 438784]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-25 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2009-1-24 49254]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-29 113664]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-2-4 1528880]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPager.exe"= c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\Yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 ATMhelpr;ATMhelpr;c:\windows\SYSTEM32\DRIVERS\ATMHELPR.SYS [7/9/2003 8:07 PM 4064]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2009-09-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2009-09-12 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy2\SpybotSD.exe [2009-01-22 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = hxxp://localhost;*.local
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\SiwikMuller\Application Data\Mozilla\Firefox\Profiles\7ipgivmu.default\
FF - plugin: c:\documents and settings\SiwikMuller\Application Data\Move Networks\plugins\npqmp071504000001.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Adobe Acrobat 5.0 - c:\windows\ISUNINST.EXE -fc:\program files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu
AddRemove-Adobe Photoshop Elements 2.0 - c:\windows\ISUNINST.EXE -fc:\program files\Adobe\Photoshop Elements 2\Uninst.isu
AddRemove-MUSICMATCH Jukebox - c:\windows\IsUninst.exe -fc:\program files\MUSICMATCH\MUSICMATCH Jukebox\Uninst.isu
AddRemove-program files - c:\progra~1\Prism3\UNWISE.EXE
AddRemove-Quicken 2002 New User Edition - c:\windows\IsUninst.exe -fc:\program files\QUICKENW\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-14 21:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)
c:\windows\System32\NavLogon.dll

- - - - - - - > 'explorer.exe'(2100)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\NavNT\defwatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NavNT\rtvscan.exe
c:\windows\SYSTEM32\HPZipm12.exe
c:\windows\SYSTEM32\MSGSYS.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-09-15 21:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-15 01:18
ComboFix2.txt 2009-01-29 01:40

Pre-Run: 14,008,193,024 bytes free
Post-Run: 13,995,827,200 bytes free

244 --- E O F --- 2009-09-15 00:16


And removing the Ulead trial got rid of the boot-up error message. thanks.

[negster22]

Good job! Your computer appears to be clean now.

We have a few steps to finish up now.

If I asked you to download and run an ARK (Antirootkit program, then please uninstall it by doing the following:

• Delete the contents of the folder C:\ARK
  
• Delete the C:\ARK folder

Let's remove Combofix and all its associated files including those in quarantine:
Click start -> run, then copy and paste the following line into the Open box and click OK.

"%userprofile%\desktop\Combo-Fix.exe" /u

This will do the following:

• Uninstall Combofix and all its associated files and folders.
  
• It will flush your system restore points and create a new restore point.
  
• It will rehide your system files and folders
  
• Reset your system clock

---
Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI). This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, and many others are commonly targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

4. Download and install SpywareBlaster:
http://www.javacools...areblaster.html
Update it and the enable protection for all unprotected items.
You will have to update the free version manually about once a month by clicking the Updates button. You can refer to the Calendar of Updates Website to see when SpywareBlaster and other programs that do not autoupdate have new definitions or program updates available.

Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!

[DebS]

Thanks for all your help. Keep up the great work, I don't know what we would do without you people!

[negster22]

You're very welcome, DebS!