My daughter's pc got infected with vundo and god knows what else. Unfortunately, I am 1000 miles away and trying to help her remotely when she has no internet connection due to the condition of her machine. I had her run Malwarebytes and here is the log:

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

3/26/2009 2:51:11 PM
mbam-log-2009-03-26 (14-51-11).txt

Scan type: Full Scan (C:\|D:\|K:\|)
Objects scanned: 197455
Time elapsed: 2 hour(s), 41 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00a1328 (Trojan.Vundo) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\__c00A1328.dat (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c0019F4D.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c002ED49.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c0032ACC.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00627C9.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00AFB2A.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00B4670.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00B5A6E.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

After that, a second run of malware bytes was clean but her machine still won't function properly. I'm not sure if Windows is damaged or if it is something else that can be determined from the hijack this log below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:41 PM, on 3/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Compaq_Owner\Desktop\windows-kb890830-v2.8.exe
c:\05edb98892f004a482b4b25b07ff\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [thirdintel] c:\hp\bin\cloaker.exe c:\hp\bin\intel_tweak\intel_tweak3.cmd
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [A00F7620D8.exe] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_A00F7620D8.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200361035125
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHos...ronGameHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9350 bytes

Thank you.

Hi,

First of all, please update MalwareBytes, because the databaseversion is outdated.

• Start MalwareBytes and click the Update tab. There click "Check for updates"
• Once the updates are downloaded, perform a full scan again.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Thank you! Unfortuantely, we currently cannot access the internet with this machine. Is there a way to get an updated version of MalwareBytes downloaded to another machine and port it to this using a USB stick, CD etc.?

Hi,

Just download the malwarebytes installer and transfer it to the compromised computer.
http://www.malwarebytes.org/mbam.php
Latest database is here: http://www.gt500.org/malwarebytes/database.jsp

Sorry for the delay in getting new logs posted. Here is the MalwareBytes Log (a second run was clean):

Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 3

3/30/2009 12:51:12 PM
mbam-log-2009-03-30 (12-51-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 206835
Time elapsed: 2 hour(s), 22 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


And here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:29 PM, on 3/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [thirdintel] c:\hp\bin\cloaker.exe c:\hp\bin\intel_tweak\intel_tweak3.cmd
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [A00F7620D8.exe] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_A00F7620D8.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200361035125
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHos...ronGameHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9472 bytes

Thank you for your continued help.

Hi,

Above HijackThislog is from Windows safe mode. Not sure why you're in Windows safe mode anyway.
Please reboot your computer back to normal mode, because malwarebytes needs to finish a job after reboot and this will only work from Windows normal mode.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

I had my daughter download and run combofix. She ran it twice because the first time it was accidentally run from the USB flash device and the machine may have still been in safe mode. The second time it was run from C: and the machine was definitely in normal mode. Sorry if this makes anything more difficult to debug.

Note: She is still unable to access the internet and I don't know if that is due to damage to Windows, issues with her ISP or Malware.

----------------------------------------------------------------------------------------------------------------------------------------------------------

ComboFix Run 1:

ComboFix 09-03-31.01 - Compaq_Owner 2009-03-31 19:05:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.111 [GMT -6:00]
Running from: L:\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Outdated)
FW: Norton 360 *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf
K:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-03-01 to 2009-04-01 )))))))))))))))))))))))))))))))
.

2009-03-27 12:47 . 2009-03-27 12:47 <DIR> d-------- c:\program files\Trend Micro
2009-03-26 23:31 . 2009-03-26 23:31 <DIR> d--hs---- c:\windows\ftpcache
2009-03-26 23:31 . 2009-03-26 23:31 917,504 --a------ c:\windows\system32\FLASH.OCX
2009-03-26 21:34 . 2001-08-31 12:00 27,296 --a------ c:\windows\system32\drivers\PERC2.SYS
2009-03-26 21:34 . 2001-08-31 12:00 27,296 --a------ c:\windows\system32\dllcache\perc2.sys
2009-03-26 21:34 . 2001-08-31 12:00 19,072 --a------ c:\windows\system32\drivers\SPARROW.SYS
2009-03-26 21:34 . 2001-08-31 12:00 19,072 --a------ c:\windows\system32\dllcache\sparrow.sys
2009-03-26 21:34 . 2001-08-31 12:00 17,280 --a------ c:\windows\system32\drivers\MRAID35X.SYS
2009-03-26 21:34 . 2001-08-31 12:00 17,280 --a------ c:\windows\system32\dllcache\mraid35x.sys
2009-03-26 21:34 . 2001-08-31 12:00 5,504 --a------ c:\windows\system32\drivers\PERC2HIB.SYS
2009-03-26 21:34 . 2001-08-31 12:00 5,504 --a------ c:\windows\system32\dllcache\perc2hib.sys
2009-03-26 21:33 . 2008-04-13 11:40 34,688 --a------ c:\windows\system32\drivers\lbrtfdc.sys
2009-03-26 21:33 . 2008-04-13 11:40 34,688 --a------ c:\windows\system32\dllcache\lbrtfdc.sys
2009-03-26 21:33 . 2008-04-13 11:41 18,560 --a------ c:\windows\system32\drivers\i2omp.sys
2009-03-26 21:33 . 2008-04-13 11:41 18,560 --a------ c:\windows\system32\dllcache\i2omp.sys
2009-03-26 21:33 . 2001-08-31 12:00 16,000 --a------ c:\windows\system32\drivers\INI910U.SYS
2009-03-26 21:33 . 2001-08-31 12:00 16,000 --a------ c:\windows\system32\dllcache\ini910u.sys
2009-03-26 21:33 . 2008-04-13 11:41 8,576 --a------ c:\windows\system32\drivers\i2omgmt.sys
2009-03-26 21:33 . 2008-04-13 11:41 8,576 --a------ c:\windows\system32\dllcache\i2omgmt.sys
2009-03-26 21:17 . 2004-08-03 22:00 18,304 --a------ c:\windows\system32\drivers\SYMC8XX.SY_
2009-03-26 21:17 . 2004-08-03 22:00 15,864 --a------ c:\windows\system32\drivers\ULTRA.SY_
2009-03-26 21:17 . 2004-08-03 22:00 2,629 --a------ c:\windows\system32\drivers\TOSIDE.SY_
2009-03-26 21:16 . 2004-08-03 22:00 17,923 --a------ c:\windows\system32\drivers\SYM_U3.SY_
2009-03-26 21:16 . 2004-08-03 22:00 16,761 --a------ c:\windows\system32\drivers\SYM_HI.SY_
2009-03-26 21:16 . 2004-08-03 22:00 11,098 --a------ c:\windows\system32\drivers\SPARROW.SY_
2009-03-26 21:16 . 2004-08-03 22:00 8,352 --a------ c:\windows\system32\drivers\SYMC810.SY_
2009-03-26 21:15 . 2004-08-03 22:00 27,359 --a------ c:\windows\system32\drivers\QL1280.SY_
2009-03-26 21:15 . 2004-08-03 22:00 22,855 --a------ c:\windows\system32\drivers\QL1240.SY_
2009-03-26 21:14 . 2004-08-03 22:00 25,938 --a------ c:\windows\system32\drivers\QL12160.SY_
2009-03-26 21:14 . 2004-08-03 22:00 22,761 --a------ c:\windows\system32\drivers\QL1080.SY_
2009-03-26 21:14 . 2004-08-03 22:00 18,888 --a------ c:\windows\system32\drivers\QL10WNT.SY_
2009-03-26 21:12 . 2004-08-03 22:00 9,785 --a------ c:\windows\system32\drivers\MRAID35X.SY_
2009-03-26 21:09 . 2004-08-03 22:00 14,614 --a------ c:\windows\system32\drivers\LBRTFDC.SY_
2009-03-26 21:09 . 2004-08-03 22:00 8,560 --a------ c:\windows\system32\drivers\INI910U.SY_
2009-03-26 21:08 . 2004-08-03 22:00 10,324 --a------ c:\windows\system32\drivers\I2OMP.SY_
2009-03-26 21:08 . 2004-08-03 22:00 4,064 --a------ c:\windows\system32\drivers\I2OMGMT.SY_
2009-03-26 20:58 . 2009-03-26 20:59 <DIR> d-------- c:\program files\PC-Doctor for Windows
2009-03-26 20:56 . 2009-03-26 20:56 <DIR> d-------- c:\program files\directx
2009-03-26 20:53 . 2009-03-26 20:53 <DIR> d-------- c:\program files\Support Tools
2009-03-26 20:49 . 2009-03-26 20:49 <DIR> d-------- c:\program files\Application Compatibility Toolkit
2009-03-26 20:30 . 2009-03-26 20:30 <DIR> d-------- c:\program files\AWS
2009-03-26 20:12 . 2009-03-26 20:12 <DIR> d-------- c:\program files\Common Files\xing shared
2009-03-26 20:01 . 2003-09-10 23:36 21,060 --------- c:\windows\system32\drivers\iviaspi.sys
2009-03-26 20:01 . 2003-09-19 01:47 10,368 --------- c:\windows\system32\drivers\pfc.sys
2009-03-26 20:00 . 2004-12-16 20:07 204,800 --a------ c:\windows\system32\IVIresizeW7.dll
2009-03-26 20:00 . 2004-12-16 20:07 200,704 --a------ c:\windows\system32\IVIresizeA6.dll
2009-03-26 20:00 . 2004-12-16 20:07 192,512 --a------ c:\windows\system32\IVIresizeP6.dll
2009-03-26 20:00 . 2004-12-16 20:07 192,512 --a------ c:\windows\system32\IVIresizeM6.dll
2009-03-26 20:00 . 2004-12-16 20:07 188,416 --a------ c:\windows\system32\IVIresizePX.dll
2009-03-26 20:00 . 2004-12-16 20:07 20,480 --a------ c:\windows\system32\IVIresize.dll
2009-03-26 19:58 . 2009-03-26 20:56 <DIR> d-------- c:\program files\InterVideo
2009-03-26 19:55 . 2009-03-26 19:55 <DIR> d-------- c:\program files\Macrovision Corp
2009-03-26 19:51 . 2009-03-26 19:51 <DIR> d-------- c:\program files\Common Files\Sonic
2009-03-26 19:51 . 2009-03-26 19:51 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\Sonic
2009-03-26 19:48 . 2009-03-26 19:48 <DIR> d-------- c:\program files\Common Files\SureThing Shared
2009-03-26 19:16 . 2009-03-26 19:16 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\InterMute
2009-03-26 19:15 . 2009-03-26 19:15 <DIR> d-------- c:\program files\InterMute
2009-03-26 19:15 . 2009-03-26 19:16 2,158 --a------ c:\windows\system32\ssmute.ini
2009-03-26 16:08 . 2004-01-28 10:11 159,744 -ra------ c:\windows\system32\nvuide.exe
2009-03-26 15:44 . 2002-08-29 14:00 25,952 --a------ c:\windows\system32\drivers\hpn.sys
2009-03-26 15:44 . 2002-08-29 14:00 25,952 --a------ c:\windows\system32\dllcache\hpn.sys
2009-03-26 15:43 . 2001-08-31 12:00 20,192 --a------ c:\windows\system32\drivers\dpti2o.sys
2009-03-26 15:43 . 2001-08-31 12:00 20,192 --a------ c:\windows\system32\dllcache\dpti2o.sys
2009-03-26 15:42 . 2001-08-31 12:00 14,976 --a------ c:\windows\system32\drivers\cpqarray.sys
2009-03-26 15:42 . 2001-08-31 12:00 14,976 --a------ c:\windows\system32\dllcache\cpqarray.sys
2009-03-26 15:42 . 2001-08-31 12:00 14,720 --a------ c:\windows\system32\drivers\dac960nt.sys
2009-03-26 15:42 . 2001-08-31 12:00 14,720 --a------ c:\windows\system32\dllcache\dac960nt.sys
2009-03-26 15:41 . 2001-08-31 12:00 7,680 --a------ c:\windows\system32\drivers\cd20xrnt.sys
2009-03-26 15:41 . 2001-08-31 12:00 7,680 --a------ c:\windows\system32\dllcache\cd20xrnt.sys
2009-03-26 15:41 . 2001-08-17 13:51 6,656 --a------ c:\windows\system32\drivers\cmdide.sys
2009-03-26 15:41 . 2001-08-17 13:51 6,656 --a------ c:\windows\system32\dllcache\cmdide.sys
2009-03-26 15:40 . 2001-08-31 12:00 26,496 --a------ c:\windows\system32\drivers\asc.sys
2009-03-26 15:40 . 2001-08-31 12:00 26,496 --a------ c:\windows\system32\dllcache\asc.sys
2009-03-26 15:40 . 2001-08-31 12:00 22,400 --a------ c:\windows\system32\drivers\asc3350p.sys
2009-03-26 15:40 . 2001-08-31 12:00 22,400 --a------ c:\windows\system32\dllcache\asc3350p.sys
2009-03-26 15:40 . 2001-08-31 12:00 14,848 --a------ c:\windows\system32\drivers\asc3550.sys
2009-03-26 15:40 . 2001-08-31 12:00 14,848 --a------ c:\windows\system32\dllcache\asc3550.sys
2009-03-26 15:40 . 2001-08-31 12:00 12,032 --a------ c:\windows\system32\drivers\amsint.sys
2009-03-26 15:40 . 2001-08-31 12:00 12,032 --a------ c:\windows\system32\dllcache\amsint.sys
2009-03-26 15:39 . 2001-08-31 12:00 56,960 --a------ c:\windows\system32\drivers\aic78xx.sys
2009-03-26 15:39 . 2001-08-31 12:00 56,960 --a------ c:\windows\system32\dllcache\aic78xx.sys
2009-03-26 15:39 . 2001-08-31 12:00 55,168 --a------ c:\windows\system32\drivers\aic78u2.sys
2009-03-26 15:39 . 2001-08-31 12:00 55,168 --a------ c:\windows\system32\dllcache\aic78u2.sys
2009-03-26 15:39 . 2001-08-31 12:00 5,248 --a------ c:\windows\system32\drivers\aliide.sys
2009-03-26 15:39 . 2001-08-31 12:00 5,248 --a------ c:\windows\system32\dllcache\aliide.sys
2009-03-26 15:38 . 2001-08-31 12:00 101,888 --a------ c:\windows\system32\drivers\adpu160m.sys
2009-03-26 15:38 . 2001-08-31 12:00 101,888 --a------ c:\windows\system32\dllcache\adpu160m.sys
2009-03-26 15:38 . 2001-08-31 12:00 12,800 --a------ c:\windows\system32\drivers\aha154x.sys
2009-03-26 15:38 . 2001-08-31 12:00 12,800 --a------ c:\windows\system32\dllcache\aha154x.sys
2009-03-26 15:35 . 2001-08-31 12:00 23,552 --a------ c:\windows\system32\drivers\abp480n5.sys
2009-03-26 15:35 . 2001-08-31 12:00 23,552 --a------ c:\windows\system32\dllcache\abp480n5.sys
2009-03-26 12:06 . 2009-03-30 10:20 <DIR> d-------- c:\program files\Malwarebytes
2009-03-26 12:06 . 2009-03-26 12:06 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2009-03-26 12:06 . 2009-03-26 12:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-26 12:06 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 12:06 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-25 21:50 . 2009-03-25 21:50 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\HPQ
2009-03-25 11:56 . 2009-03-25 11:56 0 --a------ c:\windows\nsreg.dat
2009-03-23 12:06 . 2009-03-23 12:06 7,522,240 --a------ c:\program files\Firefox.exe
2009-03-23 12:02 . 2009-03-23 12:02 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\MSNInstaller
2009-03-02 16:27 . 2009-03-02 16:27 28,365,104 --a------ c:\program files\snagit.exe
2009-03-01 22:25 . 2008-01-13 23:29 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2009-03-01 22:25 . 2008-01-13 23:29 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intuit
2009-03-01 22:25 . 2009-03-01 22:25 <DIR> d-------- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-01 01:03 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-27 11:43 --------- d-----w c:\program files\WildTangent
2009-03-27 06:14 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-27 02:59 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-27 02:58 --------- d-----w c:\program files\Quicken
2009-03-27 02:12 --------- d-----w c:\program files\Common Files\Real
2009-03-27 01:55 --------- d-----w c:\program files\Common Files\InstallShield
2009-03-27 01:48 --------- d-----w c:\program files\Sonic
2009-03-27 01:40 --------- d-----w c:\program files\Symantec
2009-03-25 17:24 --------- d-----w c:\program files\Google
2009-03-23 16:29 --------- d-----w c:\program files\Common Files\Sonic Shared
2009-03-23 16:18 --------- d-----w c:\program files\HP Games
2009-03-23 16:17 --------- d-----w c:\program files\Chill
2009-03-02 22:13 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-02 19:01 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\ZoomBrowser EX
2009-03-02 19:01 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-03-02 17:38 --------- d-----w c:\program files\Norton 360
2009-03-02 02:21 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\LimeWire
2009-02-25 13:15 --------- d-----w c:\documents and settings\Guest\Application Data\Apple Computer
2009-02-22 17:58 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Apple Computer
2009-02-19 23:48 --------- d-----w c:\program files\Lavasoft
2009-02-19 23:48 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-18 05:14 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Move Networks
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-04 01:36 --------- d-----w c:\program files\LimeWire
2009-01-28 11:25 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-01-17 04:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll
2008-11-13 00:35 350 ----a-w c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2008-08-06 12:53 15,070,144 ----a-w c:\program files\SpySweeper.exe
2008-01-15 22:27 4,494,664 ----a-w c:\program files\LimeWire.exe
2008-12-19 14:22 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008121920081220\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Weather"="c:\progra~1\AWS\WEATHE~1\Weather.exe" [2004-04-13 851968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-26 180269]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"thirdintel"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 c:\windows\RTHDCPL.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-04-26 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-07-07 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= "c:\program files\InterMute\SpySubtract\sshook.dll" [2009-03-26 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-27 64160]
R2 Seagate Sync Service;Seagate Sync Service;c:\program files\Seagate\Sync\SeaSyncServices.exe [2007-01-18 24120]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-23 101936]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-03-26 38496]
S3 WMP300Nv1;Linksys Wireless-N PCI Adapter WMP300N Driver;c:\windows\system32\drivers\WMP300Nv1.sys [2007-10-17 822400]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-03-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-03-23 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-DXDllRegExe - dxdllreg.exe
HKLM-Run-PCDrProfiler - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.comcast.net/
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\stuwmk4w.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 19:10:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4077673394-3207311990-1865167216-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-03-31 19:21:22
ComboFix-quarantined-files.txt 2009-04-01 01:21:17

Pre-Run: 162,384,642,048 bytes free
Post-Run: 162,534,211,584 bytes free

264 --- E O F --- 2009-03-18 03:55:37

-----------------------------------------------------------------------------------------------------------------------------------------------------

ComboFix Run 2

ComboFix 09-03-31.01 - Compaq_Owner 2009-03-31 19:58:18.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.72 [GMT -6:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Outdated)
FW: Norton 360 *disabled*
.

((((((((((((((((((((((((( Files Created from 2009-03-01 to 2009-04-01 )))))))))))))))))))))))))))))))
.

2009-03-27 12:47 . 2009-03-27 12:47 <DIR> d-------- c:\program files\Trend Micro
2009-03-26 23:31 . 2009-03-26 23:31 <DIR> d--hs---- c:\windows\ftpcache
2009-03-26 23:31 . 2009-03-26 23:31 917,504 --a------ c:\windows\system32\FLASH.OCX
2009-03-26 21:34 . 2001-08-31 12:00 27,296 --a------ c:\windows\system32\drivers\PERC2.SYS
2009-03-26 21:34 . 2001-08-31 12:00 27,296 --a------ c:\windows\system32\dllcache\perc2.sys
2009-03-26 21:34 . 2001-08-31 12:00 19,072 --a------ c:\windows\system32\drivers\SPARROW.SYS
2009-03-26 21:34 . 2001-08-31 12:00 19,072 --a------ c:\windows\system32\dllcache\sparrow.sys
2009-03-26 21:34 . 2001-08-31 12:00 17,280 --a------ c:\windows\system32\drivers\MRAID35X.SYS
2009-03-26 21:34 . 2001-08-31 12:00 17,280 --a------ c:\windows\system32\dllcache\mraid35x.sys
2009-03-26 21:34 . 2001-08-31 12:00 5,504 --a------ c:\windows\system32\drivers\PERC2HIB.SYS
2009-03-26 21:34 . 2001-08-31 12:00 5,504 --a------ c:\windows\system32\dllcache\perc2hib.sys
2009-03-26 21:33 . 2008-04-13 11:40 34,688 --a------ c:\windows\system32\drivers\lbrtfdc.sys
2009-03-26 21:33 . 2008-04-13 11:40 34,688 --a------ c:\windows\system32\dllcache\lbrtfdc.sys
2009-03-26 21:33 . 2008-04-13 11:41 18,560 --a------ c:\windows\system32\drivers\i2omp.sys
2009-03-26 21:33 . 2008-04-13 11:41 18,560 --a------ c:\windows\system32\dllcache\i2omp.sys
2009-03-26 21:33 . 2001-08-31 12:00 16,000 --a------ c:\windows\system32\drivers\INI910U.SYS
2009-03-26 21:33 . 2001-08-31 12:00 16,000 --a------ c:\windows\system32\dllcache\ini910u.sys
2009-03-26 21:33 . 2008-04-13 11:41 8,576 --a------ c:\windows\system32\drivers\i2omgmt.sys
2009-03-26 21:33 . 2008-04-13 11:41 8,576 --a------ c:\windows\system32\dllcache\i2omgmt.sys
2009-03-26 21:17 . 2004-08-03 22:00 18,304 --a------ c:\windows\system32\drivers\SYMC8XX.SY_
2009-03-26 21:17 . 2004-08-03 22:00 15,864 --a------ c:\windows\system32\drivers\ULTRA.SY_
2009-03-26 21:17 . 2004-08-03 22:00 2,629 --a------ c:\windows\system32\drivers\TOSIDE.SY_
2009-03-26 21:16 . 2004-08-03 22:00 17,923 --a------ c:\windows\system32\drivers\SYM_U3.SY_
2009-03-26 21:16 . 2004-08-03 22:00 16,761 --a------ c:\windows\system32\drivers\SYM_HI.SY_
2009-03-26 21:16 . 2004-08-03 22:00 11,098 --a------ c:\windows\system32\drivers\SPARROW.SY_
2009-03-26 21:16 . 2004-08-03 22:00 8,352 --a------ c:\windows\system32\drivers\SYMC810.SY_
2009-03-26 21:15 . 2004-08-03 22:00 27,359 --a------ c:\windows\system32\drivers\QL1280.SY_
2009-03-26 21:15 . 2004-08-03 22:00 22,855 --a------ c:\windows\system32\drivers\QL1240.SY_
2009-03-26 21:14 . 2004-08-03 22:00 25,938 --a------ c:\windows\system32\drivers\QL12160.SY_
2009-03-26 21:14 . 2004-08-03 22:00 22,761 --a------ c:\windows\system32\drivers\QL1080.SY_
2009-03-26 21:14 . 2004-08-03 22:00 18,888 --a------ c:\windows\system32\drivers\QL10WNT.SY_
2009-03-26 21:12 . 2004-08-03 22:00 9,785 --a------ c:\windows\system32\drivers\MRAID35X.SY_
2009-03-26 21:09 . 2004-08-03 22:00 14,614 --a------ c:\windows\system32\drivers\LBRTFDC.SY_
2009-03-26 21:09 . 2004-08-03 22:00 8,560 --a------ c:\windows\system32\drivers\INI910U.SY_
2009-03-26 21:08 . 2004-08-03 22:00 10,324 --a------ c:\windows\system32\drivers\I2OMP.SY_
2009-03-26 21:08 . 2004-08-03 22:00 4,064 --a------ c:\windows\system32\drivers\I2OMGMT.SY_
2009-03-26 20:58 . 2009-03-26 20:59 <DIR> d-------- c:\program files\PC-Doctor for Windows
2009-03-26 20:56 . 2009-03-26 20:56 <DIR> d-------- c:\program files\directx
2009-03-26 20:53 . 2009-03-26 20:53 <DIR> d-------- c:\program files\Support Tools
2009-03-26 20:49 . 2009-03-26 20:49 <DIR> d-------- c:\program files\Application Compatibility Toolkit
2009-03-26 20:30 . 2009-03-26 20:30 <DIR> d-------- c:\program files\AWS
2009-03-26 20:12 . 2009-03-26 20:12 <DIR> d-------- c:\program files\Common Files\xing shared
2009-03-26 20:01 . 2003-09-10 23:36 21,060 --------- c:\windows\system32\drivers\iviaspi.sys
2009-03-26 20:01 . 2003-09-19 01:47 10,368 --------- c:\windows\system32\drivers\pfc.sys
2009-03-26 20:00 . 2004-12-16 20:07 204,800 --a------ c:\windows\system32\IVIresizeW7.dll
2009-03-26 20:00 . 2004-12-16 20:07 200,704 --a------ c:\windows\system32\IVIresizeA6.dll
2009-03-26 20:00 . 2004-12-16 20:07 192,512 --a------ c:\windows\system32\IVIresizeP6.dll
2009-03-26 20:00 . 2004-12-16 20:07 192,512 --a------ c:\windows\system32\IVIresizeM6.dll
2009-03-26 20:00 . 2004-12-16 20:07 188,416 --a------ c:\windows\system32\IVIresizePX.dll
2009-03-26 20:00 . 2004-12-16 20:07 20,480 --a------ c:\windows\system32\IVIresize.dll
2009-03-26 19:58 . 2009-03-26 20:56 <DIR> d-------- c:\program files\InterVideo
2009-03-26 19:55 . 2009-03-26 19:55 <DIR> d-------- c:\program files\Macrovision Corp
2009-03-26 19:51 . 2009-03-26 19:51 <DIR> d-------- c:\program files\Common Files\Sonic
2009-03-26 19:51 . 2009-03-26 19:51 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\Sonic
2009-03-26 19:48 . 2009-03-26 19:48 <DIR> d-------- c:\program files\Common Files\SureThing Shared
2009-03-26 19:16 . 2009-03-26 19:16 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\InterMute
2009-03-26 19:15 . 2009-03-26 19:15 <DIR> d-------- c:\program files\InterMute
2009-03-26 19:15 . 2009-03-26 19:16 2,158 --a------ c:\windows\system32\ssmute.ini
2009-03-26 16:08 . 2004-01-28 10:11 159,744 -ra------ c:\windows\system32\nvuide.exe
2009-03-26 15:44 . 2002-08-29 14:00 25,952 --a------ c:\windows\system32\drivers\hpn.sys
2009-03-26 15:44 . 2002-08-29 14:00 25,952 --a------ c:\windows\system32\dllcache\hpn.sys
2009-03-26 15:43 . 2001-08-31 12:00 20,192 --a------ c:\windows\system32\drivers\dpti2o.sys
2009-03-26 15:43 . 2001-08-31 12:00 20,192 --a------ c:\windows\system32\dllcache\dpti2o.sys
2009-03-26 15:42 . 2001-08-31 12:00 14,976 --a------ c:\windows\system32\drivers\cpqarray.sys
2009-03-26 15:42 . 2001-08-31 12:00 14,976 --a------ c:\windows\system32\dllcache\cpqarray.sys
2009-03-26 15:42 . 2001-08-31 12:00 14,720 --a------ c:\windows\system32\drivers\dac960nt.sys
2009-03-26 15:42 . 2001-08-31 12:00 14,720 --a------ c:\windows\system32\dllcache\dac960nt.sys
2009-03-26 15:41 . 2001-08-31 12:00 7,680 --a------ c:\windows\system32\drivers\cd20xrnt.sys
2009-03-26 15:41 . 2001-08-31 12:00 7,680 --a------ c:\windows\system32\dllcache\cd20xrnt.sys
2009-03-26 15:41 . 2001-08-17 13:51 6,656 --a------ c:\windows\system32\drivers\cmdide.sys
2009-03-26 15:41 . 2001-08-17 13:51 6,656 --a------ c:\windows\system32\dllcache\cmdide.sys
2009-03-26 15:40 . 2001-08-31 12:00 26,496 --a------ c:\windows\system32\drivers\asc.sys
2009-03-26 15:40 . 2001-08-31 12:00 26,496 --a------ c:\windows\system32\dllcache\asc.sys
2009-03-26 15:40 . 2001-08-31 12:00 22,400 --a------ c:\windows\system32\drivers\asc3350p.sys
2009-03-26 15:40 . 2001-08-31 12:00 22,400 --a------ c:\windows\system32\dllcache\asc3350p.sys
2009-03-26 15:40 . 2001-08-31 12:00 14,848 --a------ c:\windows\system32\drivers\asc3550.sys
2009-03-26 15:40 . 2001-08-31 12:00 14,848 --a------ c:\windows\system32\dllcache\asc3550.sys
2009-03-26 15:40 . 2001-08-31 12:00 12,032 --a------ c:\windows\system32\drivers\amsint.sys
2009-03-26 15:40 . 2001-08-31 12:00 12,032 --a------ c:\windows\system32\dllcache\amsint.sys
2009-03-26 15:39 . 2001-08-31 12:00 56,960 --a------ c:\windows\system32\drivers\aic78xx.sys
2009-03-26 15:39 . 2001-08-31 12:00 56,960 --a------ c:\windows\system32\dllcache\aic78xx.sys
2009-03-26 15:39 . 2001-08-31 12:00 55,168 --a------ c:\windows\system32\drivers\aic78u2.sys
2009-03-26 15:39 . 2001-08-31 12:00 55,168 --a------ c:\windows\system32\dllcache\aic78u2.sys
2009-03-26 15:39 . 2001-08-31 12:00 5,248 --a------ c:\windows\system32\drivers\aliide.sys
2009-03-26 15:39 . 2001-08-31 12:00 5,248 --a------ c:\windows\system32\dllcache\aliide.sys
2009-03-26 15:38 . 2001-08-31 12:00 101,888 --a------ c:\windows\system32\drivers\adpu160m.sys
2009-03-26 15:38 . 2001-08-31 12:00 101,888 --a------ c:\windows\system32\dllcache\adpu160m.sys
2009-03-26 15:38 . 2001-08-31 12:00 12,800 --a------ c:\windows\system32\drivers\aha154x.sys
2009-03-26 15:38 . 2001-08-31 12:00 12,800 --a------ c:\windows\system32\dllcache\aha154x.sys
2009-03-26 15:35 . 2001-08-31 12:00 23,552 --a------ c:\windows\system32\drivers\abp480n5.sys
2009-03-26 15:35 . 2001-08-31 12:00 23,552 --a------ c:\windows\system32\dllcache\abp480n5.sys
2009-03-26 12:06 . 2009-03-30 10:20 <DIR> d-------- c:\program files\Malwarebytes
2009-03-26 12:06 . 2009-03-26 12:06 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2009-03-26 12:06 . 2009-03-26 12:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-26 12:06 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 12:06 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-25 21:50 . 2009-03-25 21:50 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\HPQ
2009-03-25 11:56 . 2009-03-25 11:56 0 --a------ c:\windows\nsreg.dat
2009-03-23 12:06 . 2009-03-23 12:06 7,522,240 --a------ c:\program files\Firefox.exe
2009-03-23 12:02 . 2009-03-23 12:02 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\MSNInstaller
2009-03-02 16:27 . 2009-03-02 16:27 28,365,104 --a------ c:\program files\snagit.exe
2009-03-01 22:25 . 2008-01-13 23:29 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2009-03-01 22:25 . 2008-01-13 23:29 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intuit
2009-03-01 22:25 . 2009-03-01 22:25 <DIR> d-------- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-01 01:44 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-27 11:43 --------- d-----w c:\program files\WildTangent
2009-03-27 06:14 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-27 02:59 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-27 02:58 --------- d-----w c:\program files\Quicken
2009-03-27 02:12 --------- d-----w c:\program files\Common Files\Real
2009-03-27 01:55 --------- d-----w c:\program files\Common Files\InstallShield
2009-03-27 01:48 --------- d-----w c:\program files\Sonic
2009-03-27 01:40 --------- d-----w c:\program files\Symantec
2009-03-25 17:24 --------- d-----w c:\program files\Google
2009-03-23 16:29 --------- d-----w c:\program files\Common Files\Sonic Shared
2009-03-23 16:18 --------- d-----w c:\program files\HP Games
2009-03-23 16:17 --------- d-----w c:\program files\Chill
2009-03-02 22:13 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-02 19:01 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\ZoomBrowser EX
2009-03-02 19:01 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-03-02 17:38 --------- d-----w c:\program files\Norton 360
2009-03-02 02:21 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\LimeWire
2009-02-25 13:15 --------- d-----w c:\documents and settings\Guest\Application Data\Apple Computer
2009-02-22 17:58 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Apple Computer
2009-02-19 23:48 --------- d-----w c:\program files\Lavasoft
2009-02-19 23:48 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-18 05:14 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Move Networks
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-04 01:36 --------- d-----w c:\program files\LimeWire
2009-01-28 11:25 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-01-17 04:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll
2008-11-13 00:35 350 ----a-w c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2008-08-06 12:53 15,070,144 ----a-w c:\program files\SpySweeper.exe
2008-01-15 22:27 4,494,664 ----a-w c:\program files\LimeWire.exe
2008-12-19 14:22 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008121920081220\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-31_19.19.53.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-30 21:28:15 1,660 ----a-w c:\windows\bthservsdp.dat
+ 2009-04-01 01:30:16 1,660 ----a-w c:\windows\bthservsdp.dat
- 2009-04-01 00:54:39 53,436 ----a-w c:\windows\system32\perfc009.dat
+ 2009-04-01 01:35:53 53,436 ----a-w c:\windows\system32\perfc009.dat
- 2009-04-01 00:54:39 381,692 ----a-w c:\windows\system32\perfh009.dat
+ 2009-04-01 01:35:53 381,692 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Weather"="c:\progra~1\AWS\WEATHE~1\Weather.exe" [2004-04-13 851968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-26 180269]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"thirdintel"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 c:\windows\RTHDCPL.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-04-26 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-07-07 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= "c:\program files\InterMute\SpySubtract\sshook.dll" [2009-03-26 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-27 64160]
R2 Seagate Sync Service;Seagate Sync Service;c:\program files\Seagate\Sync\SeaSyncServices.exe [2007-01-18 24120]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-23 101936]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-03-26 38496]
S3 WMP300Nv1;Linksys Wireless-N PCI Adapter WMP300N Driver;c:\windows\system32\drivers\WMP300Nv1.sys [2007-10-17 822400]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-03-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-03-23 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2008-04-13 18:12]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.comcast.net/
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\stuwmk4w.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 20:01:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4077673394-3207311990-1865167216-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-03-31 20:03:41
ComboFix-quarantined-files.txt 2009-04-01 02:03:37
ComboFix2.txt 2009-04-01 01:52:53
ComboFix3.txt 2009-04-01 01:21:25

Pre-Run: 162,540,216,320 bytes free
Post-Run: 162,524,762,112 bytes free

264 --- E O F --- 2009-03-18 03:55:37

Hi,

Nothing strange anymore in your Combofix log, which means that MalwareBytes already removed whatever was present.
There's however something strange though - I see a lot of files (drivers) and folders being created/modified on 26 and 27 march
Is it possible that a repair install was done in between? Or any other steps related with drivers etc? because this is somewhat strange.

Anyway, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

As a final check... Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Thank you. We will do this and post again this evening or tomorrow. My daughter did try to repair windows before we started this post so that is what you are seeing.

Yes, that's makes sense.

We haven't done anything from your last post yet. Still cannot connect to the internet. Connects to the ISP ok via the cable modem (IP address, etc.) and all the settings look good but cannot go anywhere with IE or Firefox. Seems like something might be wrong with Windows but I'm not sure. If you have any suggestions I would appreciate it. Otherwise, I will keep trying. I will be visiting her next week so it might help not working remote.

THANKS!

Hi,

It's unclear here whether you have connection problems with wireless or cable or both..

Anyway...

Was there a proxyserver previously set? Because I see a partially configured proxysettings here.
So not sure if it was configured to use a proxy or not.
In anyway, try this first..

In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.

In case there was a proxysetting set previously, then you also need to adjust it again with these settings. Unfortunately I cannot tell you what these settings in your case are.

If no change, use WinsockFix:
http://majorgeeks.com/download4372.html

If still no luck, Can you access the Internet in Windows Safe mode (choose Safe mode with network access ofcourse). If so, then it's most probably your Antivirus/Firewall causing your problem.
Even if no access in Windows safe mode, it may be a good idea to temporary uninstall Norton anyway, this to test. It's not the first time that Norton causes this.
Please reboot after uninstalling.

If still no luck, read here: http://support.microsoft.com/kb/299357

If it's mainly your Wireless (since that part is unclear here), look here: http://www.daileyint.com/hmdpc/connect.htm
It's always a good idea to reset settings / reinstall Wireless

Thank you. Unfortuantely, none of this helped. I am starting to think she has a problem with her cable modem and/or ISP in addition to the malware that was there. I think this because she is not even able to ping her gateway from a DOS window. BTW, the connection is directly to a cable modem and wireless is not being used.


Thanks again,

Hi,

Yes, it may be a good idea to contact her ISP. Also keep in mind that malware damages a lot and in a lot of cases a repair install or even a format and reinstall is needed to fix all damage.

You can close this topic. We are 100% certain that Windows is damaged and needs a repair and hopefully not a complete install. Another PC connected to the cable modem functions fine.

Thank you for your help.

Hi,

Yes, malware damages a lot and not all damage can be repaired. So yes, it's a good idea to perform a repair install.

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.