tallisall

Hi, I know you are extremely busy based on the number of posts I am seeing. It has been approx. 70 hours since my post. Thanks for the help in advance.

A friend brought me his infected machine for help because he knew that I have received help from your forum before and knew how to post here. I downloaded a new copy of mbam.exe to my machine, copied it to a thumb drive and then to his desktop. When I tried to double-click to start the installation this message came up. Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item. I have downloaded and tried to run the following programs: Malwarebytes, HiJackThis, ComboFix, Process Explorer, Security Check, Root Repeal, and OTL.exe. I have triedto run them in safe mode as well. In safe mode I don't get that message, but instread get a popup window with desot.exe Application Error on the blue bar and the message the application failed to initialize properly. I have to click on it twice to close it. I rightclicked on start, picked explore and was able to look at the files in windows and system32. I had previously changed the settings in control panel to show hidden files, extensions and system files. I found the desot.exe in system32 along with dddesot.dll. There are some other dll's and dat files that were installed the same day (9-20-09) The machine is a HP Pavilion, XP Home sp-2, AMD Athlon 3 GHz, and 1gig ram. I know that I am in way over my head so I am asking the forum for help. Thanks in advance.

Hi screen317, Sorry to not have posted back before, but I still have not gotten in touch with her. Please keep this active for another day or so and I will give you an answer. Again, sorry for the delay. I know you folks are busy.

Hi screen317, Downloaded and did manual update to mbam in safe mode than ran it. It did not find anything. I can backup her data to ext hd in safe mode and if she has her recovery disks we will probably do as you suggest. I will post tomorrow on laptop's status. Thanks for all the help. MBAM log below.Malwarebytes' Anti-Malware 1.40 Database version: 2667 Windows 6.0.6001 Service Pack 1 (Safe Mode) 8/21/2009 6:09:33 PM mbam-log-2009-08-21 (18-09-33).txt Scan type: Quick Scan Objects scanned: 87759 Time elapsed: 3 minute(s), 42 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Hi screen317, Sorry that it took so long to post this. Here is the log that you requested. Searching 'C:\Windows'... Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl [1] 2009-08-19 19:57:26 627496 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl () Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl [1] 2009-08-20 09:26:04 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl () Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl [1] 2009-08-20 09:26:09 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl () Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl [1] 2009-08-20 09:26:09 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl () Finished!

Screen317, Thanks for the help. I am not where the laptop is right now. Will run the diag tonight and post tomorrow morning.

I downloaded both combofix and inherit.exe, dragged combofix onto the inherit icon, got the ok message, then doubleclicked on combofix to run. Got the green bar as it was loading, but it stopped at that point. Looking at C: drive the Qoobox folder is there, but no log file is present.

Here are the logs from last post. I tried to run MBAM in real mode and it could not run. I rebooted into safe mode and it did not find any problems. Thanks for the help on this. Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows Vista ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Error: could not open file "C:\WINDOWS\ServicePackFiles\i386\scecli.dll" for move operation File move operation "C:\WINDOWS\ServicePackFiles\i386\scecli.dll|C:\WINDOWS\system32\scecli.dll" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Completed script processing. ******************* Finished! Terminate. Malwarebytes' Anti-Malware 1.40 Database version: 2658 Windows 6.0.6001 Service Pack 1 (Safe Mode) 8/19/2009 7:53:45 PM mbam-log-2009-08-19 (19-53-45).txt Scan type: Quick Scan Objects scanned: 87544 Time elapsed: 3 minute(s), 42 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Hi, Ran batch file, then avenger with the code, Log is below. Combofix and Malwarebytes both froze while attempting to run. I did a manual update to mb as this laptop cannot get on the internet. Should I try to run mb in safe mode again? How about combofix in safe mode? Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows Vista ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Error: file "c:\scecli.dll" not found! File move operation "c:\scecli.dll|C:\WINDOWS\system32\scecli.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ******************* Finished! Terminate.

Here is the log. Searching 'C:\Windows'... Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl [1] 2009-08-18 17:50:06 388696 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl () Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl [1] 2009-08-19 14:30:37 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl () Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl [1] 2009-08-19 14:30:42 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl () Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl [1] 2009-08-19 14:30:42 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl () Finished!

Hi, I downloaded it on my machine,copied it to thumb drive, and then copied it to her desktop. When I tried to run it, I got the green bar as it was unpacking and a brief dos box, then nothing. No hard drive activity at all. I checked at C prompt and no log was created. Do you think that it is safe to let this machine on to my network and have internet access? Thanks in advance.

Hi, I am helping a friend with her laptop. I could install malwarebytes normally, but it would not start. I tried to run hjt, and it would not start either. I did a manual update of mbam then restarted in safe mode and both worked. The logs are below. I tried to install AVG antivirus, but it would not unpack completely. Then tried to install Avira antivirus and the same thing happened. The laptop is a Compaq Presario CQ50 with Vista home premium sp-1 32bit, AMD Athlon Dual-Core QL-60 CPU, with 2 gig's of ram. Will someone please look at the logs and see what we have on this machine? Thanks Malwarebytes' Anti-Malware 1.40 Database version: 2551 Windows 6.0.6001 Service Pack 1 (Safe Mode) 8/17/2009 10:57:25 AM mbam-log-2009-08-17 (10-57-25).txt Scan type: Quick Scan Objects scanned: 87181 Time elapsed: 3 minute(s), 42 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 4 Files Infected: 13 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\AV1 (Rogue.AntiVirus1) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Windows\Temp\spoolsv (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\download (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\logs (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\sounds (Backdoor.Bot) -> Quarantined and deleted successfully. Files Infected: C:\Windows\Temp\spoolsv\spoolsv.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\aliases.ini (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\com.mrc (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\control.ini (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\Desktop.ini (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\ident.txt (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\mirc.ico (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\mirc.ini (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\popups.txt (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\remote.ini (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\run.bat (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\servers.ini (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\users.ini (Backdoor.Bot) -> Quarantined and deleted successfully. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:48:04 PM, on 8/18/2009 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18248) Boot mode: Safe mode Running processes: C:\Windows\Explorer.EXE C:\Search\RDH.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...rio&pf=cnnb R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...rio&pf=cnnb R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...rio&pf=cnnb R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing) O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe O4 - HKLM\..\Run: [samsung PanelMgr] C:\Windows\Samsung\PanelMgr\SSMMgr.exe /autorun O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O13 - Gopher Prefix: O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: AT&T Con App Svc (CAATT) - PCTEL - C:\Program Files\AT&T\Communication Manager\ConAppsSvc.exe O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 8080 bytes

Hi, Everything seems to be running smoothly. I need to reinstall his Norton, but the machine seems to be running fine. Thank you for all the help.

Hi, Sorry it took so long for me to post. The machine is running much better now. I ran a malwarebytes scan this weekend without updates because I was still having problems getting on line. It found 5 Trojan.DNSChanger entries in the registry. Today I was able to get on the net and update. Here are the 2 logs and a new hjt log. Again, thanks for the help. Malwarebytes' Anti-Malware 1.38 Database version: 2297 Windows 5.1.2600 Service Pack 3 6/28/2009 1:46:30 PM mbam-log-2009-06-28 (13-46-30).txt Scan type: Quick Scan Objects scanned: 81386 Time elapsed: 4 minute(s), 17 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 5 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.19,85.255.112.120 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{e3fd40ce-a0a2-48ed-b6d8-3f5b8d099212}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.19,85.255.112.120 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{e3fd40ce-a0a2-48ed-b6d8-3f5b8d099212}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.19,85.255.112.120 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{f3761965-f4e6-4793-b82d-c542b503e338}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.19,85.255.112.120 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{f3761965-f4e6-4793-b82d-c542b503e338}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.19,85.255.112.120 -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Malwarebytes' Anti-Malware 1.38 Database version: 2353 Windows 5.1.2600 Service Pack 3 6/29/2009 3:48:21 PM mbam-log-2009-06-29 (15-48-21).txt Scan type: Quick Scan Objects scanned: 83548 Time elapsed: 4 minute(s), 36 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 3 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:52:34 PM, on 6/29/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16850) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\sistray.EXE C:\WINDOWS\System32\keyhook.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Ativa\USB AWGUA54\Wireless Utility\Ativawcui.exe C:\WINDOWS\system32\wuauclt.exe C:\Search\rdh.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843 O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [siS Tray] C:\WINDOWS\System32\sistray.EXE O4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Ativa Wireless USB Utility.lnk = C:\Program Files\Ativa\USB AWGUA54\Wireless Utility\Ativawcui.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab O23 - Service: Symantec Eraser Service (EraserSvc10910) - Unknown owner - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe (file missing) O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 4986 bytes

Hi, Copied Combo-Fix.exe to friends desktop and ran it. It found a rootkit. Machine now will boot in real mode. Malwarebytes now comes up, but still unable to get on internet for updates. Logs below. Thank you for all your help. ComboFix 09-06-26.02 - Owner 06/28/2009 12:52.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.270 [GMT -5:00] Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\MSIVXxbnmwqxmnvxvitusppkbmddnbphewxll.sys c:\windows\system32\MSIVXcount c:\windows\system32\MSIVXoowfsxwikdbblrpojevpikrwmasplgos.dll c:\windows\system32\MSIVXruxoteplqvipfqxqkdhbwvigmgrilefm.dll c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job c:\windows\wtun.ini . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_MSIVXserv.sys ((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-28 ))))))))))))))))))))))))))))))) . 2009-06-27 16:19 . 2009-06-28 17:45 -------- d-----w- C:\Search 2009-06-27 16:17 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-27 16:17 . 2009-06-27 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-06-27 16:17 . 2009-06-27 16:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-27 16:17 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-06-27 16:15 . 2009-06-27 18:16 -------- d-----w- C:\Downloads 2009-06-17 18:34 . 2009-06-18 16:52 1536 ----a-w- c:\windows\system32\TrueSoft.dat 2009-06-17 18:10 . 2009-06-17 18:10 -------- d-----w- c:\program files\Symantec 2009-06-17 18:10 . 2009-06-17 18:10 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL 2009-06-17 18:10 . 2009-06-17 18:10 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2009-06-17 18:09 . 2009-06-17 18:09 -------- d-----w- c:\program files\Windows Sidebar 2009-06-17 16:29 . 2009-06-27 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton VRQ 2009-06-17 16:15 . 2009-06-17 18:46 -------- d-----w- c:\windows\LMIB16.tmp 2009-06-17 15:51 . 2009-06-17 15:51 -------- d-----w- c:\windows\LMIB35.tmp 2009-06-17 14:35 . 2009-06-17 14:35 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-27 16:06 . 2009-03-19 19:40 -------- d-----w- c:\program files\NortonInstaller 2009-06-17 18:12 . 2009-03-19 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2009-06-17 18:12 . 2004-06-06 16:01 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-06-17 18:11 . 2009-03-19 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller 2009-06-17 18:10 . 2009-06-17 18:10 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF 2009-06-17 18:10 . 2009-06-17 18:10 7386 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT 2009-05-26 11:39 . 2009-05-26 11:39 390664 ----a-w- c:\documents and settings\Owner\Application Data\Real\RealPlayer\Update\RealPlayer11.exe 2009-05-07 15:32 . 2001-08-18 12:00 345600 ----a-w- c:\windows\system32\localspl.dll 2009-04-29 04:56 . 2006-06-23 17:33 827392 ----a-w- c:\windows\system32\wininet.dll 2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-04-17 12:26 . 2001-08-18 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys 2009-04-15 14:51 . 2004-06-21 00:59 585216 ----a-w- c:\windows\system32\rpcrt4.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496] "SiS Tray"="c:\windows\System32\sistray.EXE" [2003-10-30 667648] "SiS Windows KeyHook"="c:\windows\System32\keyhook.exe" [2003-10-30 249856] "MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984] "PCTVOICE"="pctspk.exe" - c:\windows\system32\pctspk.exe [2003-09-24 180224] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Ativa Wireless USB Utility.lnk - c:\program files\Ativa\USB AWGUA54\Wireless Utility\Ativawcui.exe [2006-8-29 1556480] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk backup=c:\windows\pss\Office Startup.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Shortcut to winvnc.exe.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Shortcut to winvnc.exe.lnk backup=c:\windows\pss\Shortcut to winvnc.exe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\uvnc114\\winvnc.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= S2 EraserSvc10910;Symantec Eraser Service;"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe" /h ccCommon --> c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [?] S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [9/18/2008 12:47 PM 33752] S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [7/16/2008 1:46 PM 29744] S3 ODWGU(Ativa);Ativa Wireless G USB Network Adapter(Ativa);c:\windows\system32\drivers\ODWGU.sys [1/10/2007 5:45 PM 408064] S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\PTDMBus.sys [1/18/2008 3:24 PM 29952] S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [1/18/2008 3:24 PM 41856] S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\PTDMVsp.sys [1/18/2008 3:24 PM 39936] S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\PTDMWWAN.sys [1/18/2008 3:24 PM 59520] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uInternet Connection Wizard,ShellNext = iexplore TCP: {5556164D-4B4A-458F-81B6-DBDFD44BA4AD} = 69.78.96.14 66.174.92.14 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-28 12:57 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Ahead\InCD\incdsrv.exe c:\windows\system32\HPZipm12.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-06-28 13:02 - machine was rebooted ComboFix-quarantined-files.txt 2009-06-28 18:02 Pre-Run: 44,661,202,944 bytes free Post-Run: 44,634,849,280 bytes free Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5 134 --- E O F --- 2009-06-11 10:55 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:03:45 PM, on 6/28/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16850) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\sistray.EXE C:\WINDOWS\System32\keyhook.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Ativa\USB AWGUA54\Wireless Utility\Ativawcui.exe C:\WINDOWS\explorer.exe C:\Search\rdh.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843 O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [siS Tray] C:\WINDOWS\System32\sistray.EXE O4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Ativa Wireless USB Utility.lnk = C:\Program Files\Ativa\USB AWGUA54\Wireless Utility\Ativawcui.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{5556164D-4B4A-458F-81B6-DBDFD44BA4AD}: NameServer = 69.78.96.14 66.174.92.14 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.19,85.255.112.120 O23 - Service: Symantec Eraser Service (EraserSvc10910) - Unknown owner - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe (file missing) O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 5283 bytes

Hi, His machine can only come up in safe mode and cannot get on the internet. Can I download Comebofix on my machine, copy it to his desktop and run in safe mode? Will not be able to install recovery console without internet access. Thanks,

Hi, Helping a friend with his pc. When the machine tries to boot in normal mode and he logs on we get a Bsod with error (page fault in nonpaged area). He said that the problem started after he discovered his Norton Internet Security program had stopped working. He contacted Norton and a rep walked him through uninstalling it. He downloaded the new version, but it would not install. The Norton rep said that my friend must have some type of malware on his machine and it must be removed before he could reinstall the norton. I can bring the machine up in safe mode and I installed Malwarebytes, but it will not run. Since there is no antivirus software on the machine, I downloaded on my machine the Avira antivirus software, put it on a thumb drive and tried to install it on his machine. It would unpack, but not install. I renamed HJT to my initials and ran it. Here is the log file. Can you help? Thanks Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:18:23 PM, on 6/27/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16850) Boot mode: Safe mode Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Search\rdh.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843 O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [siS Tray] C:\WINDOWS\System32\sistray.EXE O4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Ativa Wireless USB Utility.lnk = C:\Program Files\Ativa\USB AWGUA54\Wireless Utility\Ativawcui.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://lovefreegames.aavalue.com/LFG/Toolbar/LFG-toolbar.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{5556164D-4B4A-458F-81B6-DBDFD44BA4AD}: NameServer = 69.78.96.14 66.174.92.14 O17 - HKLM\System\CCS\Services\Tcpip\..\{E3FD40CE-A0A2-48ED-B6D8-3F5B8D099212}: NameServer = 85.255.112.19,85.255.112.120 O17 - HKLM\System\CCS\Services\Tcpip\..\{F3761965-F4E6-4793-B82D-C542B503E338}: NameServer = 85.255.112.19,85.255.112.120 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.19,85.255.112.120 O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.112.19,85.255.112.120 O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.112.19,85.255.112.120 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.19,85.255.112.120 O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL O23 - Service: Symantec Eraser Service (EraserSvc10910) - Unknown owner - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe (file missing) O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 6103 bytes

Hi, The link to OTMoveIt3 does not seem to be valid. Can you supply another? Thanks

Hi, Updated and did full scan with Norton. Report says nothing found. Looks like everything is clean. thank you

Hi, I was away yesterday. Thankyou so much for the help. Logs below. ComboFix 09-06-07.07 - Ray 06/08/2009 10:16.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.191 [GMT -5:00] Running from: c:\documents and settings\Ray\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Ray\Desktop\CFscript.txt FILE :: "c:\docume~1\Ray\LOCALS~1\Temp\s3chipid.sys" "c:\documents and settings\Ray\Application Data\~ygw.tmp" "c:\program files\iview410_setup.exe" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Ray\Application Data\~ygw.tmp c:\program files\iview410_setup.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_S3CHIPID -------\Service_s3chipid ((((((((((((((((((((((((( Files Created from 2009-05-08 to 2009-06-08 ))))))))))))))))))))))))))))))) . 2009-06-03 14:19 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-03 14:19 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-06-03 14:19 . 2009-06-03 14:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-02 22:58 . 2009-06-02 22:58 27456 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP1.DLL 2009-06-02 22:58 . 2009-06-02 22:58 25408 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP0.DLL 2009-06-02 15:47 . 2009-06-02 15:47 0 ----a-w- c:\windows\system32\drivers\rootrepeal.sys 2009-05-31 21:59 . 2009-05-31 22:00 -------- d-----w- c:\documents and settings\Ray\DoctorWeb 2009-05-27 18:33 . 2009-06-04 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\13335464 2009-05-26 15:29 . 2009-05-26 15:29 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-05-26 15:12 . 2009-05-26 15:12 -------- d-----w- c:\documents and settings\Ray\.housecall6.6 2009-05-16 18:01 . 2009-05-16 19:51 -------- d-----w- c:\documents and settings\Ray\Application Data\W Photo Studio 2009-05-16 18:00 . 2009-05-16 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Walgreens 2009-05-16 18:00 . 2009-05-16 18:00 -------- d-----w- c:\program files\Common Files\HP 2009-05-16 17:57 . 2009-05-16 17:58 -------- d-----w- c:\documents and settings\Ray\Application Data\W Photo Studio Viewer . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-08 15:20 . 2007-07-15 00:51 -------- d-----w- c:\documents and settings\Ray\Application Data\Skype 2009-06-08 15:11 . 2007-12-16 14:18 -------- d-----w- c:\documents and settings\Ray\Application Data\skypePM 2009-06-05 16:32 . 2008-08-05 20:46 -------- d-----w- c:\program files\Google 2009-06-03 17:19 . 2009-03-20 20:39 117760 ----a-w- c:\documents and settings\Ray\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-06-02 11:02 . 2006-06-02 23:07 -------- d-----w- c:\program files\NavExcel Search Toolbar 2009-05-27 18:41 . 2008-09-26 16:58 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-05-27 18:05 . 2008-03-14 11:37 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-05-23 22:20 . 2007-09-01 22:22 -------- d-----w- c:\documents and settings\Ray\Application Data\ZoomBrowser EX 2009-05-23 22:14 . 2007-09-01 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser 2009-05-16 18:00 . 2006-06-29 22:43 -------- d-----w- c:\documents and settings\Ray\Application Data\Walgreens 2009-05-07 00:06 . 2006-06-01 05:36 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-04-27 12:08 . 2009-04-27 12:08 -------- d-----w- c:\program files\WireTron 2007-02-03 18:16 . 2007-02-03 18:16 947 ----a-w- c:\program files\sitemap[1].xml . ((((((((((((((((((((((((((((( SnapShot@2009-06-05_16.25.56 ))))))))))))))))))))))))))))))))))))))))) . + 2009-06-08 15:20 . 2009-06-08 15:20 16384 c:\windows\temp\Perflib_Perfdata_43c.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-29 21755688] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X] "vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 77824] "RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-07-19 1056768] "Total Internet"="c:\program files\WT.Net\Fptool.exe" [1998-01-23 718336] "3c1807pd"="c:\windows\SYSTEM32\3cmlink.exe" [2005-11-19 73728] "V0470Mon.exe"="c:\windows\V0470Mon.exe" [2007-04-11 32768] "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-04-22 68592] "VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-08 53248] "C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2008-09-27 1581056] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\mmc.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Skype\\SkypeSetup.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009 R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944] S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [11/30/2008 11:15 AM 33752] S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\drivers\m4301A.sys [8/24/2007 5:15 PM 83552] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408] S3 VF0470Vid;Live! Cam Notebook (VF0470);c:\windows\system32\drivers\V0470Vid.sys [12/9/2007 5:03 PM 146368] --- Other Services/Drivers In Memory --- *NewlyCreated* - GTNDIS5 . Contents of the 'Scheduled Tasks' folder 2009-06-08 c:\windows\Tasks\User_Feed_Synchronization-{1495B2FC-3459-45CE-9763-C8F813F4EB70}.job - c:\windows\system32\msfeedssync.exe [2007-08-14 00:36] . . ------- Supplementary Scan ------- . uStart Page = hxxp://inreach.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-08 10:20 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(844) c:\program files\SUPERAntiSpyware\SASWINLO.dll - - - - - - - > 'explorer.exe'(3304) c:\program files\Google\Quick Search Box\bin\1.1.1038.9122\qsb.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe c:\program files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe c:\program files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\MsPMSPSv.exe c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe c:\program files\Canon\CAL\CALMAIN.exe c:\program files\WT.Net\FPSETUP.exe c:\program files\Skype\Plugin Manager\skypePM.exe . ************************************************************************** . Completion time: 2009-06-08 10:22 - machine was rebooted ComboFix-quarantined-files.txt 2009-06-08 15:22 ComboFix2.txt 2009-06-05 16:30 Pre-Run: 29,237,940,224 bytes free Post-Run: 29,221,257,216 bytes free 151 --- E O F --- 2009-05-13 11:43 JavaRa 1.14 Removal Log. Report follows after line. ------------------------------------ The JavaRa removal process was started on Mon Jun 08 10:29:58 2009 Found and removed: C:\Windows\System32\jupdate-1.5.0_01-b08.log Found and removed: SOFTWARE\Classes\JavaPlugin.150_01 Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_05\ ------------------------------------ Finished reporting. CLEANING COMPLETE - (2.581 secs) ------------------------------------------------------------------------------------------ 3.77MB removed. ------------------------------------------------------------------------------------------ Details of files deleted ------------------------------------------------------------------------------------------ IE Temporary Internet Files (1 files) 77.07KB C:\Documents and Settings\Ray\Cookies\ray@tracking.realtor[1].txt 115 bytes C:\Documents and Settings\Ray\Cookies\ray@addresses[1].txt 509 bytes C:\Documents and Settings\Ray\Cookies\ray@cnet[1].txt 797 bytes C:\Documents and Settings\Ray\Cookies\ray@yahoo[1].txt 87 bytes C:\Documents and Settings\Ray\Cookies\ray@mmismm[1].txt 88 bytes C:\Documents and Settings\Ray\Cookies\ray@events.webflowmetrics[1].txt 124 bytes C:\Documents and Settings\Ray\Cookies\ray@66.230.188[2].txt 98 bytes C:\Documents and Settings\Ray\Cookies\ray@google[2].txt 328 bytes C:\Documents and Settings\Ray\Cookies\ray@looksmart[1].txt 102 bytes C:\Documents and Settings\Ray\Cookies\ray@smileyadv[1].txt 92 bytes C:\Documents and Settings\Ray\Cookies\ray@admarketplace[1].txt 123 bytes C:\Documents and Settings\Ray\Cookies\ray@download.cnet[1].txt 97 bytes C:\Documents and Settings\Ray\Cookies\ray@www.realtor[1].txt 107 bytes C:\Documents and Settings\Ray\Cookies\ray@specificclick[2].txt 703 bytes C:\Documents and Settings\Ray\Cookies\ray@miva[1].txt 153 bytes C:\Documents and Settings\Ray\Cookies\ray@inreach[1].txt 359 bytes C:\Documents and Settings\Ray\Cookies\ray@homestore[1].txt 117 bytes C:\Documents and Settings\Ray\Cookies\ray@homestore.122.2o7[1].txt 125 bytes C:\Documents and Settings\Ray\Cookies\ray@com[1].txt 93 bytes C:\Documents and Settings\Ray\Cookies\ray@7569.91423.simonsearch[1].txt 159 bytes C:\Documents and Settings\Ray\Cookies\ray@www.zoombli[1].txt 358 bytes C:\Documents and Settings\Ray\Cookies\ray@www.primosearch[1].txt 150 bytes C:\Documents and Settings\Ray\Cookies\ray@theyellowpages[2].txt 401 bytes C:\Documents and Settings\Ray\Cookies\ray@www.electronicbillinghost[1].txt 87 bytes C:\Documents and Settings\Ray\Cookies\ray@myroitracking[2].txt 93 bytes C:\Documents and Settings\Ray\Cookies\ray@www.chinaontv[3].txt 247 bytes C:\Documents and Settings\Ray\Cookies\ray@revsci[2].txt 1.14KB C:\Documents and Settings\Ray\Cookies\ray@zoombli[1].txt 708 bytes C:\Documents and Settings\Ray\Cookies\ray@malwarebytes[2].txt 402 bytes C:\Documents and Settings\Ray\Cookies\ray@clickthrough.kanoodle[1].txt 110 bytes C:\Documents and Settings\Ray\Cookies\ray@www.theyellowpages[2].txt 277 bytes C:\Documents and Settings\Ray\Cookies\ray@realtor[1].txt 503 bytes C:\Documents and Settings\Ray\Cookies\ray@search.localdouble[2].txt 428 bytes C:\Documents and Settings\Ray\Cookies\ray@2payon[2].txt 155 bytes C:\Documents and Settings\Ray\Cookies\ray@interclick[2].txt 82 bytes C:\Documents and Settings\Ray\Cookies\ray@bridge2.admarketplace[1].txt 131 bytes C:\Documents and Settings\Ray\Cookies\ray@roia[1].txt 181 bytes C:\Documents and Settings\Ray\Cookies\ray@www.addresses[2].txt 289 bytes C:\Documents and Settings\Ray\Cookies\ray@64.111.196[1].txt 100 bytes C:\Documents and Settings\Ray\Cookies\ray@feed.ndot[1].txt 99 bytes C:\Documents and Settings\Ray\Cookies\ray@ads.clicksor[2].txt 92 bytes C:\Documents and Settings\Ray\Cookies\ray@www.abcjmp[2].txt 144 bytes C:\Documents and Settings\Ray\Cookies\ray@www.everydayhealth[2].txt 515 bytes C:\Documents and Settings\Ray\Cookies\ray@66.230.188[1].txt 97 bytes C:\Documents and Settings\Ray\Cookies\ray@ads.clicksor[1].txt 91 bytes C:\Documents and Settings\Ray\Cookies\ray@dc.tremormedia[2].txt 114 bytes C:\Documents and Settings\Ray\Cookies\ray@hjlas[1].txt 1.13KB C:\Documents and Settings\Ray\Cookies\ray@myroitracking[1].txt 93 bytes C:\Documents and Settings\Ray\Cookies\ray@www.abcjmp[1].txt 146 bytes C:\Documents and Settings\Ray\Cookies\ray@www.blastro[2].txt 101 bytes C:\Documents and Settings\Ray\Cookies\ray@www.chinaontv[2].txt 243 bytes C:\Documents and Settings\Ray\Cookies\ray@www2.music-tags[2].txt 105 bytes C:\Documents and Settings\Ray\Cookies\ray@yumenetworks[1].txt 98 bytes Marked for deletion: C:\Documents and Settings\Ray\Local Settings\Temporary Internet Files\Content.IE5\index.dat Marked for deletion: C:\Documents and Settings\Ray\Cookies\index.dat C:\Documents and Settings\Ray\Recent\5-27-09.lnk 544 bytes C:\Documents and Settings\Ray\Recent\5-29-09.lnk 246 bytes C:\Documents and Settings\Ray\Recent\6-8-09.lnk 243 bytes C:\Documents and Settings\Ray\Recent\Attach.txt.lnk 349 bytes C:\Documents and Settings\Ray\Recent\Avenger.txt.lnk 352 bytes C:\Documents and Settings\Ray\Recent\avenger1.txt.lnk 357 bytes C:\Documents and Settings\Ray\Recent\Cleanup Logs.lnk 575 bytes C:\Documents and Settings\Ray\Recent\combofixlog.txt.lnk 363 bytes C:\Documents and Settings\Ray\Recent\CureIt1.log.lnk 743 bytes C:\Documents and Settings\Ray\Recent\DDS.txt.lnk 627 bytes C:\Documents and Settings\Ray\Recent\hijackthis.log.lnk 365 bytes C:\Documents and Settings\Ray\Recent\hijackthis1.log.lnk 544 bytes C:\Documents and Settings\Ray\Recent\hijackthis2.log.lnk 544 bytes C:\Documents and Settings\Ray\Recent\hijackthisnew.log.lnk 558 bytes C:\Documents and Settings\Ray\Recent\JavaRa.log.lnk 344 bytes C:\Documents and Settings\Ray\Recent\mbam-log-2009-06-04 (13-16-59).txt.lnk 445 bytes C:\Documents and Settings\Ray\Recent\MWB.pdf.lnk 331 bytes C:\Documents and Settings\Ray\Recent\Process Explorer.pdf.lnk 753 bytes C:\Documents and Settings\Ray\Recent\Search-09.lnk 388 bytes Emptied Recycle Bin (4 files) 3.68MB C:\Documents and Settings\Ray\Local Settings\temp\java_install_reg.log 473 bytes C:\Documents and Settings\Ray\Application Data\Google\Local Search History\google%2Eweb.w 44 bytes C:\Documents and Settings\Ray\Application Data\Macromedia\Flash Player\#SharedObjects\HYZSA55U\images.blastro.com\images\flashplayer\flvPlayer.swf\Lightningcast.sol 54 bytes C:\Documents and Settings\Ray\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#images.blastro.com\settings.sol 88 bytes C:\Documents and Settings\Ray\Application Data\Macromedia\Flash Player\#SharedObjects\HYZSA55U\is1.j.tv2n.net\dbg.sol 52 bytes C:\Documents and Settings\Ray\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#is1.j.tv2n.net\settings.sol 84 bytes C:\Documents and Settings\Ray\Application Data\Macromedia\Flash Player\#SharedObjects\HYZSA55U\skype.com\#ui\preferences.sol 233 bytes ------------------------------------------------------------------------------------------ Malwarebytes' Anti-Malware 1.37 Database version: 2248 Windows 5.1.2600 Service Pack 3 6/8/2009 11:06:06 AM mbam-log-2009-06-08 (11-06-06).txt Scan type: Quick Scan Objects scanned: 78771 Time elapsed: 5 minute(s), 44 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:17:39 AM, on 6/8/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINDOWS\system32\VTTimer.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\Program Files\WT.Net\Fptool.exe C:\WINDOWS\V0470Mon.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Search-09\Search.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://inreach.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe O4 - HKLM\..\Run: [Total Internet] C:\Program Files\WT.Net\Fptool.exe O4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd O4 - HKLM\..\Run: [V0470Mon.exe] C:\WINDOWS\V0470Mon.exe O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://photo.walgreens.com/WalgreensOutlookImport.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1228433910968 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186018685031 O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://remote1.na.amec.com/dana-cached/set...perSetupSP1.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe -- End of file - 6690 bytes

Hi, Logs below. Thanks again. ComboFix 09-06-04.A1 - Ray 06/05/2009 11:20.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.164 [GMT -5:00] Running from: c:\documents and settings\Ray\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Ray\x.exe c:\windows\system32\dacxmtbb.ini c:\windows\system32\fmxyxjlq.ini c:\windows\system32\inetres.dll c:\windows\system32\msoert2.dll c:\windows\system32\UACltavkbuyxudppww.dat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_UACd.sys ((((((((((((((((((((((((( Files Created from 2009-05-05 to 2009-06-05 ))))))))))))))))))))))))))))))) . 2009-06-03 14:19 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-03 14:19 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-06-03 14:19 . 2009-06-03 14:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-02 22:58 . 2009-06-02 22:58 27456 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP1.DLL 2009-06-02 22:58 . 2009-06-02 22:58 25408 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP0.DLL 2009-06-02 15:47 . 2009-06-02 15:47 0 ----a-w- c:\windows\system32\drivers\rootrepeal.sys 2009-05-31 21:59 . 2009-05-31 22:00 -------- d-----w- c:\documents and settings\Ray\DoctorWeb 2009-05-27 18:33 . 2009-06-04 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\13335464 2009-05-26 15:29 . 2009-05-26 15:29 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-05-26 15:12 . 2009-05-26 15:12 -------- d-----w- c:\documents and settings\Ray\.housecall6.6 2009-05-16 18:01 . 2009-05-16 19:51 -------- d-----w- c:\documents and settings\Ray\Application Data\W Photo Studio 2009-05-16 18:00 . 2009-05-16 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Walgreens 2009-05-16 18:00 . 2009-05-16 18:00 -------- d-----w- c:\program files\Common Files\HP 2009-05-16 17:57 . 2009-05-16 17:58 -------- d-----w- c:\documents and settings\Ray\Application Data\W Photo Studio Viewer . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-05 16:26 . 2007-07-15 00:51 -------- d-----w- c:\documents and settings\Ray\Application Data\Skype 2009-06-05 16:09 . 2007-12-16 14:18 -------- d-----w- c:\documents and settings\Ray\Application Data\skypePM 2009-06-03 17:19 . 2009-03-20 20:39 117760 ----a-w- c:\documents and settings\Ray\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-06-02 11:02 . 2006-06-02 23:07 -------- d-----w- c:\program files\NavExcel Search Toolbar 2009-05-27 18:41 . 2008-09-26 16:58 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-05-27 18:05 . 2008-03-14 11:37 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-05-26 13:26 . 2009-05-26 13:26 0 ----a-w- c:\documents and settings\Ray\Application Data\~ygw.tmp 2009-05-23 22:20 . 2007-09-01 22:22 -------- d-----w- c:\documents and settings\Ray\Application Data\ZoomBrowser EX 2009-05-23 22:14 . 2007-09-01 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser 2009-05-16 18:00 . 2006-06-29 22:43 -------- d-----w- c:\documents and settings\Ray\Application Data\Walgreens 2009-05-13 00:02 . 2008-08-05 20:46 -------- d-----w- c:\program files\Google 2009-05-07 00:06 . 2006-06-01 05:36 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-04-27 12:08 . 2009-04-27 12:08 -------- d-----w- c:\program files\WireTron 2008-03-01 18:26 . 2008-03-01 18:26 1156096 ----a-w- c:\program files\iview410_setup.exe 2007-02-03 18:16 . 2007-02-03 18:16 947 ----a-w- c:\program files\sitemap[1].xml . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-29 21755688] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X] "vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 77824] "RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-07-19 1056768] "Total Internet"="c:\program files\WT.Net\Fptool.exe" [1998-01-23 718336] "3c1807pd"="c:\windows\SYSTEM32\3cmlink.exe" [2005-11-19 73728] "V0470Mon.exe"="c:\windows\V0470Mon.exe" [2007-04-11 32768] "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-04-22 68592] "VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-08 53248] "C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2008-09-27 1581056] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\mmc.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Skype\\SkypeSetup.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009 R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944] S2 gupdate1c984c1f914fd5b;Google Update Service (gupdate1c984c1f914fd5b);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2009 6:08 PM 133104] S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [11/30/2008 11:15 AM 33752] S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\drivers\m4301A.sys [8/24/2007 5:15 PM 83552] S3 s3chipid;s3chipid;\??\c:\docume~1\Ray\LOCALS~1\Temp\s3chipid.sys --> c:\docume~1\Ray\LOCALS~1\Temp\s3chipid.sys [?] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408] S3 VF0470Vid;Live! Cam Notebook (VF0470);c:\windows\system32\drivers\V0470Vid.sys [12/9/2007 5:03 PM 146368] . Contents of the 'Scheduled Tasks' folder 2009-06-05 c:\windows\Tasks\GoogleUpdateTaskMachine.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-01 23:08] 2009-06-05 c:\windows\Tasks\User_Feed_Synchronization-{1495B2FC-3459-45CE-9763-C8F813F4EB70}.job - c:\windows\system32\msfeedssync.exe [2007-08-14 00:36] . - - - - ORPHANS REMOVED - - - - HKLM-Run-USRpdA - (no file) SafeBoot-procexp90.Sys . ------- Supplementary Scan ------- . uStart Page = hxxp://inreach.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-05 11:25 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(840) c:\program files\SUPERAntiSpyware\SASWINLO.dll - - - - - - - > 'explorer.exe'(1812) c:\program files\Google\Quick Search Box\bin\1.1.1038.9122\qsb.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe c:\program files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe c:\program files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\MsPMSPSv.exe c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe c:\program files\Canon\CAL\CALMAIN.exe c:\program files\WT.Net\FPSETUP.exe c:\program files\Skype\Plugin Manager\skypePM.exe . ************************************************************************** . Completion time: 2009-06-05 11:30 - machine was rebooted ComboFix-quarantined-files.txt 2009-06-05 16:30 Pre-Run: 29,238,685,696 bytes free Post-Run: 29,268,119,552 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 158 --- E O F --- 2009-05-13 11:43 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:58:19 AM, on 6/5/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINDOWS\system32\VTTimer.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\Program Files\WT.Net\Fptool.exe C:\WINDOWS\V0470Mon.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Search-09\Search.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://inreach.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe O4 - HKLM\..\Run: [Total Internet] C:\Program Files\WT.Net\Fptool.exe O4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd O4 - HKLM\..\Run: [V0470Mon.exe] C:\WINDOWS\V0470Mon.exe O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://photo.walgreens.com/WalgreensOutlookImport.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1228433910968 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186018685031 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://remote1.na.amec.com/dana-cached/set...perSetupSP1.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Update Service (gupdate1c984c1f914fd5b) (gupdate1c984c1f914fd5b) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe -- End of file - 7119 bytes DDS (Ver_09-05-14.01) - NTFSx86 Run by Ray at 11:51:24.73 on Fri 06/05/2009 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.45 [GMT -5:00] ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINDOWS\system32\VTTimer.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\Program Files\WT.Net\Fptool.exe C:\WINDOWS\V0470Mon.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe C:\Program Files\Google\Update\GoogleUpdate.exe svchost.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Ray\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://inreach.com/ BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - TB: {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe mRun: [VTTimer] VTTimer.exe mRun: [RaidTool] c:\program files\via\raid\raid_tool.exe mRun: [Total Internet] c:\program files\wt.net\Fptool.exe mRun: [3c1807pd] c:\windows\system32\3cmlink.exe runservices \device\3cpipe-3c1807pd mRun: [V0470Mon.exe] c:\windows\V0470Mon.exe mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe mRun: [C-Media Mixer] Mixer.exe /startup mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813 DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} - hxxp://photo.walgreens.com/WalgreensOutlookImport.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228433910968 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186018685031 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1217968590986&h=107fcdc5cae12eb277790ffaaaf5a02c/&filename=jinstall-6u7-windows-i586-jc.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://remote1.na.amec.com/dana-cached/setup/JuniperSetupSP1.cab Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL ============= SERVICES / DRIVERS =============== R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944] R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2002-6-19 29184] R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\program files\symantec_client_security\symantec antivirus\Rtvscan.exe [2002-7-30 573440] R3 NAVAP;NAVAP;c:\program files\symantec_client_security\symantec antivirus\Navap.sys [2002-6-19 218112] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090522.002\NAVENG.sys [2009-5-23 89104] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090522.002\NAVEX15.sys [2009-5-23 876144] S2 gupdate1c984c1f914fd5b;Google Update Service (gupdate1c984c1f914fd5b);c:\program files\google\update\GoogleUpdate.exe [2009-2-1 133104] S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-11-30 33752] S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\drivers\m4301A.sys [2007-8-24 83552] S3 s3chipid;s3chipid;\??\c:\docume~1\ray\locals~1\temp\s3chipid.sys --> c:\docume~1\ray\locals~1\temp\s3chipid.sys [?] S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408] S3 VF0470Vid;Live! Cam Notebook (VF0470);c:\windows\system32\drivers\V0470Vid.sys [2007-12-9 146368] =============== Created Last 30 ================ 2009-06-05 11:16 <DIR> a-dshr-- C:\cmdcons 2009-06-05 11:14 161,792 a------- c:\windows\SWREG.exe 2009-06-05 11:14 154,624 a------- c:\windows\PEV.exe 2009-06-05 11:14 98,816 a------- c:\windows\sed.exe 2009-06-03 09:19 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-03 09:19 19,096 a------- c:\windows\system32\drivers\mbam.sys 2009-06-03 09:19 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-06-02 10:47 0 a------- c:\windows\system32\drivers\rootrepeal.sys 2009-05-31 16:59 <DIR> --d----- c:\documents and settings\ray\DoctorWeb 2009-05-27 13:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\13335464 2009-05-26 10:29 <DIR> --d----- c:\program files\common files\Wise Installation Wizard 2009-05-26 10:12 <DIR> --d----- c:\documents and settings\ray\.housecall6.6 2009-05-16 13:01 <DIR> --d----- c:\docume~1\ray\applic~1\W Photo Studio 2009-05-16 13:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Walgreens 2009-05-16 13:00 <DIR> --d----- c:\program files\common files\HP 2009-05-16 12:57 <DIR> --d----- c:\docume~1\ray\applic~1\W Photo Studio Viewer ==================== Find3M ==================== 2008-03-01 13:26 1,156,096 a------- c:\program files\iview410_setup.exe 2007-12-16 09:18 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat 2007-02-03 13:16 947 a------- c:\program files\sitemap[1].xml 2008-12-04 20:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120420081205\index.dat ============= FINISH: 11:52:00.90 =============== UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-05-14.01) Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 12/31/2001 9:50:01 PM System Uptime: 6/5/2009 11:49:32 AM (0 hours ago) Motherboard: ASUSTeK Computer INC. | | A8V-MX Processor: AMD Athlon 64 Processor 3200+ | Socket 939 | 2000/200mhz ==== Disk Partitions ========================= A: is Removable C: is FIXED (NTFS) - 37 GiB total, 27.273 GiB free. D: is CDROM () E: is CDROM () G: is Removable ==== Disabled Device Manager Items ============= Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318} Description: Device ID: ACPI\ATK0110\1010110 Manufacturer: Name: PNP Device ID: ACPI\ATK0110\1010110 Service: Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318} Description: Standard Game Port Device ID: CMI\CHILD0000\5&5FCF65F&2&0000 Manufacturer: (Standard system devices) Name: Standard Game Port PNP Device ID: CMI\CHILD0000\5&5FCF65F&2&0000 Service: gameenum ==== System Restore Points =================== RP812: 3/8/2009 10:25:43 AM - System Checkpoint RP813: 3/13/2009 8:21:25 AM - System Checkpoint RP814: 3/13/2009 6:42:21 PM - Software Distribution Service 3.0 RP815: 3/15/2009 8:26:32 AM - System Checkpoint RP816: 3/16/2009 6:33:27 PM - System Checkpoint RP817: 3/19/2009 3:52:50 PM - System Checkpoint RP818: 3/20/2009 6:35:50 AM - Software Distribution Service 3.0 RP819: 3/21/2009 8:52:07 AM - System Checkpoint RP820: 3/22/2009 9:01:59 AM - System Checkpoint RP821: 3/23/2009 9:51:30 AM - System Checkpoint RP822: 3/24/2009 12:15:07 PM - System Checkpoint RP823: 3/25/2009 12:33:33 PM - System Checkpoint RP824: 3/26/2009 12:34:15 PM - System Checkpoint RP825: 3/27/2009 1:14:11 PM - System Checkpoint RP826: 3/28/2009 1:29:03 PM - System Checkpoint RP827: 3/29/2009 2:26:00 PM - System Checkpoint RP828: 3/30/2009 2:37:44 PM - System Checkpoint RP829: 3/31/2009 2:51:58 PM - System Checkpoint RP830: 4/1/2009 2:57:25 PM - System Checkpoint RP831: 4/2/2009 3:27:36 PM - System Checkpoint RP832: 4/3/2009 4:22:44 PM - System Checkpoint RP833: 4/4/2009 5:09:26 PM - System Checkpoint RP834: 4/5/2009 5:55:17 PM - System Checkpoint RP835: 4/6/2009 6:06:22 PM - System Checkpoint RP836: 4/7/2009 6:57:42 PM - System Checkpoint RP837: 4/8/2009 7:34:23 PM - System Checkpoint RP838: 4/9/2009 7:48:07 PM - System Checkpoint RP839: 4/11/2009 6:21:34 AM - System Checkpoint RP840: 4/12/2009 6:47:19 AM - System Checkpoint RP841: 4/13/2009 7:12:07 AM - System Checkpoint RP842: 4/14/2009 8:08:52 AM - System Checkpoint RP843: 4/15/2009 8:46:57 AM - System Checkpoint RP844: 4/16/2009 6:57:12 AM - Software Distribution Service 3.0 RP845: 4/17/2009 7:35:27 AM - System Checkpoint RP846: 4/18/2009 7:43:05 AM - System Checkpoint RP847: 4/19/2009 8:16:03 AM - System Checkpoint RP848: 4/20/2009 8:17:19 AM - System Checkpoint RP849: 4/21/2009 10:19:58 AM - System Checkpoint RP850: 4/22/2009 11:05:29 AM - System Checkpoint RP851: 4/23/2009 11:39:01 AM - System Checkpoint RP852: 4/24/2009 12:25:07 PM - System Checkpoint RP853: 4/26/2009 8:50:44 AM - System Checkpoint RP854: 4/27/2009 9:02:37 AM - System Checkpoint RP855: 4/28/2009 9:35:51 AM - System Checkpoint RP856: 4/28/2009 12:12:33 PM - Software Distribution Service 3.0 RP857: 4/29/2009 12:34:35 PM - System Checkpoint RP858: 4/30/2009 1:03:26 PM - System Checkpoint RP859: 5/1/2009 1:32:59 PM - System Checkpoint RP860: 5/2/2009 2:09:56 PM - System Checkpoint RP861: 5/3/2009 5:48:51 PM - System Checkpoint RP862: 5/4/2009 5:50:57 PM - System Checkpoint RP863: 5/5/2009 6:35:23 PM - System Checkpoint RP864: 5/6/2009 7:05:58 PM - Installed Connect Service RP865: 5/7/2009 7:33:12 PM - System Checkpoint RP866: 5/9/2009 7:33:49 AM - System Checkpoint RP867: 5/10/2009 7:39:18 AM - System Checkpoint RP868: 5/11/2009 8:19:28 AM - System Checkpoint RP869: 5/12/2009 3:41:10 PM - System Checkpoint RP870: 5/13/2009 6:41:15 AM - Software Distribution Service 3.0 RP871: 5/14/2009 6:42:07 AM - System Checkpoint RP872: 5/15/2009 7:06:29 AM - System Checkpoint RP873: 5/16/2009 8:00:22 AM - System Checkpoint RP874: 5/16/2009 1:00:17 PM - Installed W Photo Studio RP875: 5/17/2009 6:02:49 PM - System Checkpoint RP876: 5/18/2009 6:40:02 PM - System Checkpoint RP877: 5/19/2009 6:49:21 PM - System Checkpoint RP878: 5/20/2009 7:42:42 PM - System Checkpoint RP879: 5/21/2009 8:19:56 PM - System Checkpoint RP880: 5/23/2009 8:03:34 AM - System Checkpoint RP881: 5/24/2009 10:07:08 AM - System Checkpoint RP882: 5/25/2009 10:33:11 AM - System Checkpoint RP883: 6/3/2009 10:04:26 AM - System Checkpoint RP884: 6/4/2009 1:43:44 PM - System Checkpoint ==== Installed Programs ====================== Adobe Flash Player ActiveX Adobe Reader 9.1.1 ArcSoft PhotoImpression 6 ArcSoft Print Creations ArcSoft Print Creations - Photo Calendar Canon Camera Access Library Canon Camera Support Core Library Canon Camera Window DC_DV 5 for ZoomBrowser EX Canon Camera Window DC_DV 6 for ZoomBrowser EX Canon Camera Window MC 6 for ZoomBrowser EX Canon G.726 WMP-Decoder Canon MovieEdit Task for ZoomBrowser EX Canon RAW Image Task for ZoomBrowser EX Canon RemoteCapture Task for ZoomBrowser EX Canon Utilities EOS Utility Canon Utilities PhotoStitch Canon Utilities ZoomBrowser EX CCleaner (remove only) Compatibility Pack for the 2007 Office system Convert Creative Live! Cam Center Creative Live! Cam Notebook Driver (1.00.03.0000) Creative Live! Cam User's Guide Creative Photo Manager Creative Software AutoUpdate Creative System Information Easy CD & DVD Creator 6 EPSON CX9400 User's Guide EPSON Printer Software EPSON Scan EPSON Stylus CX9400Fax Series Scanner Driver Update getPlus® for Adobe Google Earth Google Toolbar for Internet Explorer Google Update Helper gPhotoShow v1.6.0 HijackThis 2.0.2 Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows XP (KB952287) IrfanView (remove only) iTunes Java 6 Update 7 Linksys Wireless-G PCI Network Adapter with SpeedBooster LiveUpdate 1.7 (Symantec Corporation) Malwarebytes' Anti-Malware Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office Outlook 2003 Microsoft Office Professional Edition 2003 Microsoft Visual C++ 2005 Redistributable MSN muveeNow 2.0 - Creative NavExcel Search Toolbar (remove only) NavHelper PCI Audio Driver Platform QuickTime Search Assistant Searchersmart Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows Media Player 9 (KB911565) Security Update for Windows Media Player 9 (KB917734) Security Update for Windows Media Player 9 (KB936782) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB961373) Skype

Hi, We are definitely making progress. Logs below. Thanks again Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Error: file "C:\WINDOWS\SYSTEM32\oxyase.dll" not found! Deletion of file "C:\WINDOWS\SYSTEM32\oxyase.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\SYSTEM32\gemqsh.dll" not found! Deletion of file "C:\WINDOWS\SYSTEM32\gemqsh.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\SYSTEM32\saxdrk.dll" not found! Deletion of file "C:\WINDOWS\SYSTEM32\saxdrk.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\SYSTEM32\gmhait.dll" not found! Deletion of file "C:\WINDOWS\SYSTEM32\gmhait.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\SYSTEM32\cphvev.dll" not found! Deletion of file "C:\WINDOWS\SYSTEM32\cphvev.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ******************* Finished! Terminate. Malwarebytes' Anti-Malware 1.37 Database version: 2229 Windows 5.1.2600 Service Pack 3 6/4/2009 1:16:59 PM mbam-log-2009-06-04 (13-16-59).txt Scan type: Quick Scan Objects scanned: 81137 Time elapsed: 5 minute(s), 52 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 8 Registry Values Infected: 2 Registry Data Items Infected: 3 Folders Infected: 0 Files Infected: 7 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\wininetapp.wininet (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\wininetapp.wininet.1 (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{4b66e1df-4de3-4cda-83b5-11673eadab0b} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{9692be2f-eb8f-49d9-a11c-c24c1ef734d5} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{b360243e-09e8-402f-8721-00b6798089ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{39fc2065-c9c7-49cd-8942-44cc2dedc844} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\WinPC Defender (Rogue.WinPCDefender) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\system32\UACqoenolufvwfdedw.dll.XXX (Trojan.TDSS) -> Quarantined and deleted successfully. c:\windows\system32\UACrvvmhskiikxiamt.dll.XXX (Trojan.TDSS) -> Quarantined and deleted successfully. c:\WINDOWS\system32\drivers\UACylkdvjbphewxngi.sys.XXX (Trojan.TDSS) -> Quarantined and deleted successfully. c:\WINDOWS\Temp\UACdc22.tmp.XXX (Trojan.TDSS) -> Quarantined and deleted successfully. c:\documents and settings\Ray\Desktop\WinPC Defender.LNK (Rogue.WinPCDefender) -> Quarantined and deleted successfully. c:\documents and settings\Ray\start menu\WinPC Defender.LNK (Rogue.WinPCDefender) -> Quarantined and deleted successfully. C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:21:14 PM, on 6/4/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINDOWS\system32\VTTimer.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\Program Files\WT.Net\Fptool.exe C:\WINDOWS\V0470Mon.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\WINDOWS\system32\wuauclt.exe C:\Search-09\Search.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://inreach.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.19.0\gears.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe O4 - HKLM\..\Run: [Total Internet] C:\Program Files\WT.Net\Fptool.exe O4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd O4 - HKLM\..\Run: [V0470Mon.exe] C:\WINDOWS\V0470Mon.exe O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.19.0\gears.dll O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.19.0\gears.dll O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://photo.walgreens.com/WalgreensOutlookImport.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1228433910968 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186018685031 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://remote1.na.amec.com/dana-cached/set...perSetupSP1.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Update Service (gupdate1c984c1f914fd5b) (gupdate1c984c1f914fd5b) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe -- End of file - 7737 bytes

Hi, Just tried to run hjt in safe mode and was successful. Here is the log. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:29:02 PM, on 6/3/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Safe mode Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Search-09\Search.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://inreach.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 F3 - REG:win.ini: run= O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WinInet Class - {39fc2065-c9c7-49cd-8942-44cc2dedc844} - C:\WINDOWS\ieocx.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.19.0\gears.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe O4 - HKLM\..\Run: [Total Internet] C:\Program Files\WT.Net\Fptool.exe O4 - HKLM\..\Run: [EssSpkPhone] essspk1.exe -c O4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd O4 - HKLM\..\Run: [V0470Mon.exe] C:\WINDOWS\V0470Mon.exe O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun O4 - HKLM\..\Run: [13335464] C:\Documents and Settings\All Users\Application Data\13335464\13335464.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - HKCU\..\Run: [EPSON Stylus CX9400Fax Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICFA.EXE /FU "C:\WINDOWS\TEMP\E_SEB.tmp" /EF "HKCU" O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [sysav] C:\Documents and Settings\Ray\Application Data\pcdefender.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.19.0\gears.dll O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.19.0\gears.dll O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://photo.walgreens.com/WalgreensOutlookImport.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1228433910968 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186018685031 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://remote1.na.amec.com/dana-cached/set...perSetupSP1.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O20 - AppInit_DLLs: oxyase.dll gemqsh.dll saxdrk.dll gmhait.dll cphvev.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Update Service (gupdate1c984c1f914fd5b) (gupdate1c984c1f914fd5b) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe -- End of file - 7246 bytes

Forgot. fixmbam would not install. could not uninstall malwarebytes.

Hi, Malwarebytes will not run in real mode, but starts and runs in safe mode. It finds 6 in registry and 15 total during scan, then the computer reboots before scan is finished, so nothing is cleaned. Have tried twice.