Free Malware Removal Forum

by **lhanna** » April 3rd, 2009, 5:01 pm

Hi,

Norton 360 reports Trojan.Metajuan
Ad-Aware AE reports Win32.Rootkit.TDSS
Ad-Aware AE reports Win32.Trojan.Olmarik

I also needed to rename HJTInstall.EXE before it would run.

Any and all help is be greatly appreciated, Thanks !!! - Louis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:53 PM, on 4/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html ... B&M=MX6426
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html ... B&M=MX6426
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.135\IPSBHO.DLL
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISMModule4] "C:\Program Files\ISM\ISMModule4.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Antispyware] C:\Program Files\Antispyware\Antispyware.exe -boot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8620664046
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/insani ... er_v10.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 9756 bytes

by **jmw3** » April 4th, 2009, 5:26 pm

Hello & Welcome to Malware Removal
Apologies for the delay. As you can appreciate the forums are quite busy.
Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this ensure Notify me when a reply is posted is ticked on the Post A Reply page.

In the meantime please note the following:

Any recommendations made are for your computer problems only and should NOT be used on any other computer.
Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
If you get stuck or are unsure of something please ask for a further explanation, do not guess.
It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.

Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Thanks

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
http://www.techsupportforum.com/sectools/sUBs/dds
http://download.bleepingcomputer.com/sUBs/dds.scr
http://www.forospyware.com/sUBs/dds

Double-Click on dds.scr and a command window will appear. This is normal
Shortly after a log will appear
Click Yes at the next prompt, another log named attach.txt will appear
A window will open instructing you to post both logs. Copy the contents of both logs & post in your next reply

Gmer
Download gmer.zip from Gmer here & save it to your desktop.

Right click on gmer.zip, select Extract All... & extract the contents to your desktop
Double click the Gmer.exe file. If asked to allow gmer.sys driver to load, please consent
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post
Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.

To post in next reply:
DDS log
Contents of Attach.txt
Gmer log

by **lhanna** » April 5th, 2009, 2:07 am

Hi,

Below are the requested files, I encountered a problem running gmer. After double clicking to start it nothing would happen, but I could see it in Task Manager getting 0 CPU. I renamed it to lher and it appears to have run fine. Once again your assistance is greatly appreciated.

DDS log:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 23:48:44.44 on Sat 04/04/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.422 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Louis\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html ... B&M=MX6426
uStart Page = hxxp://www.myspace.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html ... B&M=MX6426
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.0.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.0.0.135\IPSBHO.DLL
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.0.0.135\coIEPlg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISMModule4] "c:\program files\ism\ISMModule4.exe"
uRun: [Power2GoExpress] NA
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Antispyware] c:\program files\antispyware\Antispyware.exe -boot
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SynTPLpr] "c:\program files\synaptics\syntp\SynTPLpr.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupda ... 8620664046
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/sh ... wflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.shockwave.com/content/insani ... er_v10.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.0.0.135\CoIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner~1.you\applic~1\mozilla\firefox\profiles\ulebasuh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-1 64160]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0300000.087\SymEFA.sys [2009-3-23 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0300000.087\BHDrvx86.sys [2009-3-23 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0300000.087\cchpx86.sys [2009-3-23 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090331.007\IDSXpx86.sys [2009-4-3 276344]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-10-2 124832]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.0.0.135\ccSvcHst.exe [2009-3-23 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-23 101936]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2006-11-27 200576]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090403.004\NAVENG.SYS [2009-4-3 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090403.004\NAVEX15.SYS [2009-4-3 876144]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-3-20 29744]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

=============== Created Last 30 ================

2009-04-03 15:49 2 a------- c:\windows\msoffice.ini
2009-04-01 20:06 21,410 a------- c:\windows\system32\AAWService_2009_04_01_20_06_57.dmp
2009-04-01 19:52 21,887 a------- c:\windows\system32\AAWService_2009_04_01_19_52_12.dmp
2009-04-01 19:01 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-04-01 18:55 22,740 a------- c:\windows\system32\AAWService_2009_04_01_18_55_53.dmp
2009-04-01 18:35 <DIR> --d----- c:\windows\system32\XPSViewer
2009-04-01 18:34 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-01 18:34 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-01 18:34 117,760 -------- c:\windows\system32\prntvpt.dll
2009-04-01 18:34 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-04-01 18:34 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-01 18:34 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-04-01 18:34 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-04-01 18:34 <DIR> --d----- c:\windows\SxsCaPendDel
2009-04-01 18:14 19,947 a------- c:\windows\system32\AAWService_2009_04_01_18_14_31.dmp
2009-04-01 17:58 <DIR> --d----- c:\windows\system32\scripting
2009-04-01 17:58 <DIR> --d----- c:\windows\system32\en
2009-04-01 17:58 <DIR> --d----- c:\windows\l2schemas
2009-04-01 17:58 <DIR> --d----- c:\windows\system32\bits
2009-04-01 17:53 <DIR> --d----- c:\windows\ServicePackFiles
2009-04-01 17:40 76,800 -------- c:\windows\system32\qutil.dll
2009-04-01 17:39 10,752 -------- c:\windows\system32\smtpapi.dll
2009-04-01 17:31 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-01 17:31 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-01 17:31 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-01 17:31 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-01 17:23 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-04-01 17:23 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-04-01 17:22 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-04-01 17:22 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2009-04-01 17:20 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-04-01 16:59 20,799 a------- c:\windows\system32\AAWService_2009_04_01_16_59_35.dmp
2009-04-01 16:53 22,471 a------- c:\windows\system32\AAWService_2009_04_01_16_53_26.dmp
2009-04-01 15:44 22,471 a------- c:\windows\system32\AAWService_2009_04_01_15_44_52.dmp
2009-04-01 15:17 21,276 a------- c:\windows\system32\AAWService_2009_04_01_15_17_34.dmp
2009-04-01 12:58 22,951 a------- c:\windows\system32\AAWService_2009_04_01_12_58_20.dmp
2009-04-01 12:37 22,474 a------- c:\windows\system32\AAWService_2009_04_01_12_37_58.dmp
2009-04-01 12:19 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-01 11:41 <DIR> --d----- c:\program files\Viewpoint
2009-04-01 11:41 <DIR> --d----- c:\docume~1\owner~1.you\applic~1\AOL
2009-04-01 11:25 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-01 11:25 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-01 11:06 <DIR> --d----- c:\docume~1\owner~1.you\applic~1\Antispyware
2009-04-01 11:05 <DIR> --d----- C:\Louis
2009-03-31 21:29 <DIR> --d----- C:\N360_BACKUP
2009-03-23 17:51 <DIR> --d----- c:\program files\Norton Support
2009-03-23 17:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-03-23 17:47 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-03-23 17:47 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-23 17:47 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-03-23 17:47 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-23 17:47 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-03-23 17:47 <DIR> --d----- c:\program files\Symantec
2009-03-23 17:45 <DIR> --d----- c:\windows\system32\drivers\N360
2009-03-23 17:44 <DIR> --d----- c:\program files\Norton 360
2009-03-23 17:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCSettings
2009-03-23 17:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-03-23 17:36 <DIR> --d----- c:\program files\NortonInstaller
2009-03-23 17:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-03-23 16:31 <DIR> --d----- c:\windows\LMI2E.tmp

==================== Find3M ====================

2009-04-01 18:02 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys

============= FINISH: 23:51:24.34 ===============

Attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/20/2006 1:23:25 PM
System Uptime: 4/4/2009 11:41:51 PM (0 hours ago)

Motherboard: Gateway | |
Processor: AMD Turion(tm) 64 Mobile Technology ML-40 | Socket 754 | 2193/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 68 GiB total, 4.812 GiB free.
D: is FIXED (FAT32) - 7 GiB total, 4.826 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\700AEE0B803
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\700AEE0B803
Service: NIC1394

==== System Restore Points ===================

RP1: 4/3/2009 4:24:00 PM - Norton 360 Registry Clean

==== Installed Programs ======================

Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 6.0
Adobe Reader 7.0.8
AiO_Scan
AiOSoftware
AOL Instant Messenger
AOL You've Got Pictures Screensaver
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoImpression 5
ArcSoft PhotoStudio 5.5
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Bejeweled 2 Deluxe
BigFix
Blackhawk Striker 2
Blasterball 2 Revolution
Bonjour
Broadcom 802.11 Network Adapter
Browser Address Error Redirector
BufferChm
Canon MP600
Conexant AC-Link Audio
Copy
CP_AtenaShokunin1Config
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CreativeProjects
CreativeProjectsTemplates
CueTour
Destinations
Diner Dash
Director
DocProc
DocumentViewer
DVD Solution
EPSON Print CD
EPSON Printer Software
EPSON Scan
EPSON Stylus Photo RX580 Scanner Driver Update
EPSON Stylus Photo RX580 User's Guide
EPSON Web-To-Page
FATE
Fax
Gateway Game Console
GEAR driver installer for x86 and x64
GearDrvs
Google Desktop
gtw_logo
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HP Image Zone 4.7
HP Product Assistant
HP PSC & OfficeJet 4.7
HP Software Update
HPSystemDiagnostics
InstantShare
iTunes
J2SE Runtime Environment 5.0 Update 2
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Starter Edition 2006
Microsoft Digital Image Starter Edition 2006 Editor
Microsoft Digital Image Starter Edition 2006 Library
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
Microsoft Works
Mozilla Firefox (2.0.0.20)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Napster Burn Engine
Norton 360
PanoStandAlone
Penguins!
PhotoGallery
Polar Bowler
Polar Golfer
Power2Go 4.0
PowerDVD
QFolder
QuickTime
Readme
RealPlayer
Recovery Software Suite Gateway
Scan
ScannerCopy
ScanSoft OmniPage SE 4.0
SCRABBLE
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
SkinsHP1
Soft Data Fax Modem with SmartCP
Sonic Encoders
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
The Print Shop 22
TIPCI
Tradewinds
TrayApp
Unload
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
WebReg
WildTangent Web Driver
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows XP Media Center Edition 2005 KB914548
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

4/1/2009 3:20:05 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/1/2009 3:20:05 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
4/1/2009 12:57:33 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
4/1/2009 12:57:33 PM, error: Service Control Manager [7034] - The Adobe Active File Monitor V6 service terminated unexpectedly. It has done this 1 time(s).
4/1/2009 12:57:33 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
4/1/2009 12:57:33 PM, error: Service Control Manager [7031] - The COM+ System Application service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
4/1/2009 12:57:33 PM, error: Service Control Manager [7031] - The Media Center Extender Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
4/1/2009 12:57:33 PM, error: Service Control Manager [7034] - The Windows User Mode Driver Framework service terminated unexpectedly. It has done this 1 time(s).
4/1/2009 12:57:33 PM, error: Service Control Manager [7031] - The Norton 360 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
4/1/2009 12:57:33 PM, error: Service Control Manager [7031] - The AOL TopSpeed Monitor service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
4/1/2009 12:57:33 PM, error: Service Control Manager [7034] - The PrismXL service terminated unexpectedly. It has done this 1 time(s).
4/1/2009 12:57:33 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/1/2009 12:57:33 PM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
4/1/2009 12:57:33 PM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
4/1/2009 12:57:33 PM, error: Service Control Manager [7034] - The Media Center Scheduler Service service terminated unexpectedly. It has done this 1 time(s).
4/1/2009 12:57:33 PM, error: Service Control Manager [7031] - The Media Center Receiver Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
4/1/2009 12:57:33 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
4/1/2009 12:57:33 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/1/2009 12:57:33 PM, error: Service Control Manager [7034] - The AOL Connectivity Service service terminated unexpectedly. It has done this 1 time(s).
4/1/2009 12:57:33 PM, error: Service Control Manager [7034] - The Broadcom Wireless LAN Tray Service service terminated unexpectedly. It has done this 1 time(s).
4/1/2009 12:57:33 PM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
4/1/2009 12:37:32 PM, error: Service Control Manager [7031] - The Norton 360 service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
4/1/2009 12:37:32 PM, error: Service Control Manager [7031] - The AOL TopSpeed Monitor service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
4/1/2009 12:37:32 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/1/2009 12:37:32 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 3 time(s).
4/1/2009 12:37:32 PM, error: Service Control Manager [7031] - The Media Center Extender Service service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
4/1/2009 12:35:20 PM, error: Service Control Manager [7031] - The AOL TopSpeed Monitor service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
4/1/2009 12:35:20 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/1/2009 12:35:20 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/1/2009 12:35:20 PM, error: Service Control Manager [7031] - The Media Center Extender Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
4/1/2009 11:33:19 AM, error: System Error [1003] - Error code 1000000a, parameter1 00000018, parameter2 00000002, parameter3 00000000, parameter4 804f3568.
4/1/2009 9:31:48 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/1/2009 9:30:55 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
4/1/2009 8:51:37 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 BHDrvx86 ccHP eeCtrl Fips IDSxpx86 IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SRTSPX SYMTDI Tcpip
4/1/2009 8:51:37 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/1/2009 8:51:37 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/1/2009 8:51:37 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/1/2009 8:51:37 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
3/31/2009 10:16:43 PM, error: System Error [1003] - Error code 1000000a, parameter1 00650088, parameter2 00000002, parameter3 00000000, parameter4 804f3568.
3/31/2009 9:13:30 PM, error: Service Control Manager [7000] - The Viewpoint Manager Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/31/2009 9:13:30 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Viewpoint Manager Service service to connect.
4/1/2009 3:22:35 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
4/1/2009 3:42:40 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
4/1/2009 7:48:38 PM, error: Service Control Manager [7031] - The .NET Runtime Optimization Service v2.0.50727_X86 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/1/2009 7:48:38 PM, error: Service Control Manager [7034] - The Distributed Transaction Coordinator service terminated unexpectedly. It has done this 1 time(s).
4/1/2009 7:51:40 PM, error: Service Control Manager [7031] - The .NET Runtime Optimization Service v2.0.50727_X86 service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 960000 milliseconds: Restart the service.
4/1/2009 7:58:00 PM, error: System Error [1003] - Error code 1000007e, parameter1 c0000005, parameter2 805b0b02, parameter3 f7959bc8, parameter4 f79598c4.
4/1/2009 8:06:16 PM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

Gmer log:

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-05 01:58:54
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

Code 860B40B8 ZwEnumerateKey
Code 860A7180 ZwFlushInstructionCache
Code 860B8DCE IofCallDriver
Code 860BD106 IofCompleteRequest

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\UACrvqlahky.sys (*** hidden *** ) F1E37000-F1E4A000 (77824 bytes)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACtghsuvjm.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [260] 0x00B10000
Library \\?\globalroot\systemroot\system32\UACtghsuvjm.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1064] 0x00B10000
Library \\?\globalroot\systemroot\system32\UACtghsuvjm.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1192] 0x00B10000
Library \\?\globalroot\systemroot\system32\UACtghsuvjm.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [1588] 0x00F80000
Library \\?\globalroot\systemroot\system32\UACtghsuvjm.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1640] 0x00B10000
Library \\?\globalroot\systemroot\system32\UACtghsuvjm.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1840] 0x00B10000
Library \\?\globalroot\systemroot\system32\UACtghsuvjm.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1900] 0x00B10000
Library \\?\globalroot\systemroot\system32\UACtghsuvjm.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [3440] 0x00B10000
Library \\?\globalroot\systemroot\system32\UACtghsuvjm.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [3640] 0x00F80000
Library \\?\globalroot\systemroot\system32\UACtghsuvjm.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [5584] 0x00F80000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\UACrvqlahky.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACrvqlahky.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACrvqlahky.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACyjnlpuce.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACjwejjddy.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACotodjvyj.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACkrcsxcqe.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACeykkejfq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACtghsuvjm.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACmnactako.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACninqpxig.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACebwvkvpp.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACrvqlahky.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACrvqlahky.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACyjnlpuce.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACjwejjddy.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACotodjvyj.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACkrcsxcqe.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACeykkejfq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACtghsuvjm.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACmnactako.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACninqpxig.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACebwvkvpp.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACrvqlahky.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACrvqlahky.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACyjnlpuce.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACjwejjddy.dat
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACotodjvyj.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACkrcsxcqe.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACeykkejfq.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACtghsuvjm.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACmnactako.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACninqpxig.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACebwvkvpp.log

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Quarantine\uactghsuvjm.dll.43a3be4368868a4cf9aa181fd1e493.aawqff 66052 bytes
File C:\Documents and Settings\Owner.YOUR-DEFFCD2501\Local Settings\Temp\UACa12d.tmp 343040 bytes executable
File C:\WINDOWS\system32\drivers\UACrvqlahky.sys 65536 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\UACeykkejfq.dll 18944 bytes executable
File C:\WINDOWS\system32\uacinit.dll 5521 bytes
File C:\WINDOWS\system32\UACjwejjddy.dat 127 bytes
File C:\WINDOWS\system32\UACkrcsxcqe.dll 24576 bytes executable
File C:\WINDOWS\system32\UACmnactako.log 99725 bytes
File C:\WINDOWS\system32\UACotodjvyj.dll 27136 bytes executable
File C:\WINDOWS\system32\UACtghsuvjm.dll 66560 bytes
File C:\WINDOWS\system32\UACyjnlpuce.dll 31232 bytes executable
File C:\WINDOWS\Temp\UAC48bc.tmp 66560 bytes

---- EOF - GMER 1.0.15 ----

Louis

by **jmw3** » April 5th, 2009, 10:03 am

Hi

ATF Cleaner
Download ATF Cleaner here by Atribune.

ATF-Cleaner.exe

Main

Select All

Empty Selected

If you use Firefox browser

Firefox

Select All

Empty Selected

NOTE:

No

If you use Opera browser

Opera

Select All

Empty Selected

NOTE:

No

Click Exit on the Main menu to close the program.

Combofix
Download ComboFix from one of these locations:
Link 1
Link 2
Link 3

**IMPORTANT !!! Rename ComboFix.exe to Commy.exe BEFORE saving it to your Desktop**

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
A guide to do this can be found here
Double click on ComboFix.exe & follow the prompts
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Run Gmer again following the instructions previously posted.

To post in next reply:
Combofix log
New Gmer log
Update on how the computer is running

by **lhanna** » April 5th, 2009, 3:56 pm

Hi,

Executed all instructions without any problem. Was even able to run GMER without renaming it. Laptop appears to be running well (I am doing this for a friend), plan to reboot, perform some standard scans and will post a second update. Here are the logs requested:

Combofix:

ComboFix 09-04-04.01 - Owner 2009-04-05 13:23:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.632 [GMT -4:00]
Running from: c:\louis\Commy.exe
* Created a new restore point
.
/wow section - STAGE 24
The system cannot find the path specified.
The system cannot find the path specified.
The system cannot find the path specified.
Could Not Find c:\commy\temp03
Access is denied.

/wow section - STAGE 32A
The process cannot access the file because it is being used by another process.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\FunWebProducts
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\windows\system32\drivers\UACrvqlahky.sys
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\UACebwvkvpp.log
c:\windows\system32\UACeykkejfq.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjwejjddy.dat
c:\windows\system32\UACkrcsxcqe.dll
c:\windows\system32\UACmnactako.log
c:\windows\system32\UACninqpxig.log
c:\windows\system32\UACotodjvyj.dll
c:\windows\system32\UACtghsuvjm.dll
c:\windows\system32\UACyjnlpuce.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-03-05 to 2009-04-05 )))))))))))))))))))))))))))))))
.

2009-04-03 15:49 . 2009-04-03 15:49 2 --a------ c:\windows\msoffice.ini
2009-04-01 20:06 . 2009-04-01 20:06 21,410 --a------ c:\windows\system32\AAWService_2009_04_01_20_06_57.dmp
2009-04-01 19:52 . 2009-04-01 19:52 21,887 --a------ c:\windows\system32\AAWService_2009_04_01_19_52_12.dmp
2009-04-01 19:01 . 2009-01-09 15:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-04-01 18:55 . 2009-04-01 18:55 22,740 --a------ c:\windows\system32\AAWService_2009_04_01_18_55_53.dmp
2009-04-01 18:35 . 2009-04-01 18:35 <DIR> d-------- c:\windows\system32\XPSViewer
2009-04-01 18:35 . 2009-04-01 18:35 <DIR> d-------- c:\program files\Reference Assemblies
2009-04-01 18:35 . 2009-04-01 18:35 <DIR> d-------- c:\program files\MSBuild
2009-04-01 18:34 . 2009-04-01 18:51 <DIR> d-------- c:\windows\SxsCaPendDel
2009-04-01 18:34 . 2008-07-06 08:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-04-01 18:34 . 2008-07-06 08:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2009-04-01 18:34 . 2008-07-06 06:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-01 18:34 . 2008-07-06 08:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-04-01 18:34 . 2008-07-06 08:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-01 18:34 . 2008-07-06 08:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-04-01 18:34 . 2008-07-06 08:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-01 18:14 . 2009-04-01 18:14 19,947 --a------ c:\windows\system32\AAWService_2009_04_01_18_14_31.dmp
2009-04-01 17:58 . 2009-04-01 17:58 <DIR> d-------- c:\windows\system32\scripting
2009-04-01 17:58 . 2009-04-01 17:58 <DIR> d-------- c:\windows\system32\en
2009-04-01 17:58 . 2009-04-01 17:58 <DIR> d-------- c:\windows\system32\bits
2009-04-01 17:58 . 2009-04-01 17:58 <DIR> d-------- c:\windows\l2schemas
2009-04-01 17:53 . 2009-04-01 17:53 <DIR> d-------- c:\windows\ServicePackFiles
2009-04-01 17:40 . 2008-04-13 20:12 4,274,816 --------- c:\windows\system32\nv4_disp.dll
2009-04-01 17:39 . 2004-08-03 22:41 1,041,536 --------- c:\windows\system32\drivers\hsfdpsp2.sys
2009-04-01 17:31 . 2008-08-14 06:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-01 17:31 . 2008-08-14 06:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-01 17:31 . 2008-08-14 05:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-01 17:31 . 2008-08-14 05:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-01 17:23 . 2008-10-24 07:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-04-01 17:23 . 2008-12-11 06:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-04-01 17:22 . 2008-09-04 13:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2009-04-01 17:22 . 2008-10-15 12:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-04-01 17:20 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-04-01 16:59 . 2009-04-01 16:59 20,799 --a------ c:\windows\system32\AAWService_2009_04_01_16_59_35.dmp
2009-04-01 16:53 . 2009-04-01 16:53 22,471 --a------ c:\windows\system32\AAWService_2009_04_01_16_53_26.dmp
2009-04-01 15:44 . 2009-04-01 15:44 22,471 --a------ c:\windows\system32\AAWService_2009_04_01_15_44_52.dmp
2009-04-01 15:17 . 2009-04-01 15:17 21,276 --a------ c:\windows\system32\AAWService_2009_04_01_15_17_34.dmp
2009-04-01 12:58 . 2009-04-01 12:58 22,951 --a------ c:\windows\system32\AAWService_2009_04_01_12_58_20.dmp
2009-04-01 12:37 . 2009-04-01 12:37 22,474 --a------ c:\windows\system32\AAWService_2009_04_01_12_37_58.dmp
2009-04-01 12:19 . 2009-03-09 15:06 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-04-01 11:41 . 2009-04-01 11:41 <DIR> d-------- c:\program files\Viewpoint
2009-04-01 11:41 . 2009-04-03 15:49 <DIR> d-------- c:\documents and settings\Owner.YOUR-DEFFCD2501\Application Data\AOL
2009-04-01 11:25 . 2009-04-01 11:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-01 11:25 . 2009-04-01 11:25 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-01 11:25 . 2009-03-09 15:06 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-04-01 11:19 . 2009-04-01 11:23 <DIR> d-------- c:\documents and settings\Owner.YOUR-DEFFCD2501\Application Data\Lavasoft
2009-04-01 11:06 . 2009-04-01 11:06 <DIR> d-------- c:\documents and settings\Owner.YOUR-DEFFCD2501\Application Data\Antispyware
2009-04-01 11:05 . 2009-04-05 13:03 <DIR> d-------- C:\Louis
2009-03-31 21:29 . 2009-03-31 21:29 <DIR> d-------- C:\N360_BACKUP
2009-03-23 17:51 . 2009-03-23 17:51 <DIR> d-------- c:\program files\Norton Support
2009-03-23 17:48 . 2009-03-23 17:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-03-23 17:47 . 2009-03-23 17:47 <DIR> d-------- c:\program files\Symantec
2009-03-23 17:47 . 2009-03-23 17:47 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-23 17:47 . 2009-03-23 17:47 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2009-03-23 17:47 . 2009-03-23 17:46 36,400 -ra------ c:\windows\system32\drivers\SymIM.sys
2009-03-23 17:47 . 2009-03-23 17:47 7,386 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-23 17:47 . 2009-03-23 17:47 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-03-23 17:45 . 2009-03-23 17:45 <DIR> d-------- c:\windows\system32\drivers\N360
2009-03-23 17:44 . 2009-03-23 17:45 <DIR> d-------- c:\program files\Norton 360
2009-03-23 17:37 . 2009-03-23 17:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\PCSettings
2009-03-23 17:37 . 2009-03-23 17:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-03-23 17:36 . 2009-03-23 17:36 <DIR> d-------- c:\program files\NortonInstaller
2009-03-23 17:36 . 2009-03-23 17:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-23 16:31 . 2009-03-23 17:32 <DIR> d-------- c:\windows\LMI2E.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-03 20:07 --------- d-----w c:\program files\Trend Micro
2009-04-03 20:00 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-04-03 19:51 --------- d-----w c:\program files\Pure Networks
2009-04-03 19:51 --------- d-----w c:\program files\Common Files\AOL
2009-04-01 15:41 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-01 15:36 --------- d-----w c:\program files\BigFix
2009-04-01 15:25 --------- d-----w c:\program files\Lavasoft
2009-04-01 01:50 --------- d-----w c:\program files\LimeWire
2009-03-24 14:05 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-23 22:36 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-09 16:44 --------- d-----w c:\program files\Napster
2009-02-09 16:44 --------- d-----w c:\documents and settings\All Users\Application Data\Napster
2009-02-09 16:43 --------- d-----w c:\program files\My Memories Suite
2009-02-09 16:38 --------- d-----w c:\program files\Kodak
2009-02-09 16:38 --------- d-----w c:\documents and settings\All Users\Application Data\Kodak
2008-10-10 01:55 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-12-20 00:25 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 00:25 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 00:25 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 00:25 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 00:25 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-26 180269]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-10-09 29744]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 344064]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-10-02 67488]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-11-27 2168360]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 6.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-04-01 64160]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0300000.087\SymEFA.sys [2009-03-23 17:46:44 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0300000.087\BHDrvx86.sys [2009-03-23 17:46:43 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0300000.087\cchpx86.sys [2009-03-23 17:46:43 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090331.007\IDSXpx86.sys [2009-04-03 276344]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-10-02 124832]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe [2009-03-23 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-23 101936]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2006-11-27 200576]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2007-03-20 29744]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e2db192-f268-11dd-b8b1-00c0a8cd7a54}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:06]

2009-04-01 c:\windows\Tasks\Antispyware Scheduled Scan.job
- c:\program files\Antispyware\Antispyware.exe []

2009-04-01 c:\windows\Tasks\Antispyware Scheduled Scan.job
- c:\program files\Antispyware []

2006-12-20 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 20:12]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Antispyware - c:\program files\Antispyware\Antispyware.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myspace.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.shockwave.com/content/insani ... er_v10.cab
FF - ProfilePath - c:\documents and settings\Owner.YOUR-DEFFCD2501\Application Data\Mozilla\Firefox\Profiles\ulebasuh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-05 13:43:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.0.0.135\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1256)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wdfmgr.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRAY.EXE
c:\windows\ehome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-05 13:47:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-05 17:47:02

Pre-Run: 6,544,699,392 bytes free
Post-Run: 6,433,566,720 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer

276

GMER:

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-05 15:49:49
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT 85EB9310 ZwConnectPort
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF75F187E]
SSDT 853D8A20 ZwCreateThread
SSDT 85EE4A10 ZwLoadDriver
SSDT 85E7B7D0 ZwResumeThread
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF75F1C10]

Code \??\C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACrvqlahky.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACrvqlahky.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACyjnlpuce.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACjwejjddy.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACotodjvyj.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACkrcsxcqe.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACeykkejfq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACtghsuvjm.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACmnactako.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACninqpxig.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACebwvkvpp.log

---- EOF - GMER 1.0.15 ----

So far everything looks really good !

Thanks,

Louis

by **jmw3** » April 6th, 2009, 12:16 am

Hi

Executed all instructions without any problem. Was even able to run GMER without renaming it. Laptop appears to be running well (I am doing this for a friend), plan to reboot, perform some standard scans and will post a second update

Good to hear computer is running well but could you hold off on running any scans yourself until we're finished here.
Thanks

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all

DirLook::
c:\windows\SxsCaPendDel
c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
c:\windows\LMI2E.tmp
File::
c:\windows\Tasks\Antispyware Scheduled Scan.job
c:\windows\Tasks\ISP signup reminder 1.job
c:\windows\system32\BAE.dll
Folder::
c:\program files\Antispyware
c:\program files\ism
c:\program files\LimeWire
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e2db192-f268-11dd-b8b1-00c0a8cd7a54}]
RegLockDel::
[HKLM\SYSTEM\ControlSet002\Services\UACd.sys]
DDS::
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
uRun: [ISMModule4] "c:\program files\ism\ISMModule4.exe"
uRun: [Antispyware] c:\program files\antispyware\Antispyware.exe -boot
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.shockwave.com/content/insani ... er_v10.cab

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 13.

Download the latest version of Java Runtime Environment (JRE) 6 Here
Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 13. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the Download button to the right
Select the Windows platform from the dropdown menu
Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
Click on the link to download Windows Offline Installation & save the file to your desktop
Close any programs you may have running - especially your web browser
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel

Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<

Read through the requirements and privacy statement and click on Accept button
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
When the downloads have finished, click on Settings
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Click on My Computer under Scan
Once the scan is complete, it will display the results. Click on View Scan Report
You will see a list of infected items there. Click on Save Report As...
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
Please post this log in your next reply

To post in next reply:
Combofix log
Kaspersky Scan log

by **lhanna** » April 6th, 2009, 9:28 am

Oooops, sorry, I had run a scan prior to your update. Do I need to regenerate any of the above logs before proceeding with your next instructions?

Thanks,

Louis

by **lhanna** » April 6th, 2009, 6:33 pm

Hi,

I performed the two tasks without problem. Also note that original Combofix.exe to create the first log and not Commy.exe that was used earlier.

ComboFix:

ComboFix 09-04-04.01 - Owner 2009-04-06 14:00:17.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.465 [GMT -4:00]
Running from: c:\louis\ComboFix.exe
Command switches used :: c:\louis\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Updated)
FW: Norton 360 *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\LimeWire
c:\program files\LimeWire\hs_err_pid3356.log
c:\windows\system32\BAE.dll
c:\windows\Tasks\Antispyware Scheduled Scan.job
c:\windows\Tasks\ISP signup reminder 1.job

.
((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))
.

2009-04-06 00:04 . 2009-04-06 00:04 98 --ah----- C:\aaw7boot.cmd
2009-04-03 15:49 . 2009-04-03 15:49 2 --a------ c:\windows\msoffice.ini
2009-04-01 20:06 . 2009-04-01 20:06 21,410 --a------ c:\windows\system32\AAWService_2009_04_01_20_06_57.dmp
2009-04-01 19:52 . 2009-04-01 19:52 21,887 --a------ c:\windows\system32\AAWService_2009_04_01_19_52_12.dmp
2009-04-01 19:01 . 2009-01-09 15:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-04-01 18:55 . 2009-04-01 18:55 22,740 --a------ c:\windows\system32\AAWService_2009_04_01_18_55_53.dmp
2009-04-01 18:35 . 2009-04-01 18:35 <DIR> d-------- c:\windows\system32\XPSViewer
2009-04-01 18:35 . 2009-04-01 18:35 <DIR> d-------- c:\program files\Reference Assemblies
2009-04-01 18:35 . 2009-04-01 18:35 <DIR> d-------- c:\program files\MSBuild
2009-04-01 18:34 . 2009-04-01 18:51 <DIR> d-------- c:\windows\SxsCaPendDel
2009-04-01 18:34 . 2008-07-06 08:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-04-01 18:34 . 2008-07-06 08:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2009-04-01 18:34 . 2008-07-06 06:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-01 18:34 . 2008-07-06 08:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-04-01 18:34 . 2008-07-06 08:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-01 18:34 . 2008-07-06 08:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-04-01 18:34 . 2008-07-06 08:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-01 18:14 . 2009-04-01 18:14 19,947 --a------ c:\windows\system32\AAWService_2009_04_01_18_14_31.dmp
2009-04-01 17:58 . 2009-04-01 17:58 <DIR> d-------- c:\windows\system32\scripting
2009-04-01 17:58 . 2009-04-01 17:58 <DIR> d-------- c:\windows\system32\en
2009-04-01 17:58 . 2009-04-01 17:58 <DIR> d-------- c:\windows\system32\bits
2009-04-01 17:58 . 2009-04-01 17:58 <DIR> d-------- c:\windows\l2schemas
2009-04-01 17:53 . 2009-04-01 17:53 <DIR> d-------- c:\windows\ServicePackFiles
2009-04-01 17:40 . 2008-04-13 20:12 4,274,816 --------- c:\windows\system32\nv4_disp.dll
2009-04-01 17:39 . 2004-08-03 22:41 1,041,536 --------- c:\windows\system32\drivers\hsfdpsp2.sys
2009-04-01 17:31 . 2008-08-14 06:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-01 17:31 . 2008-08-14 06:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-01 17:31 . 2008-08-14 05:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-01 17:31 . 2008-08-14 05:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-01 17:23 . 2008-10-24 07:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-04-01 17:23 . 2008-12-11 06:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-04-01 17:22 . 2008-09-04 13:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2009-04-01 17:22 . 2008-10-15 12:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-04-01 17:20 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-04-01 16:59 . 2009-04-01 16:59 20,799 --a------ c:\windows\system32\AAWService_2009_04_01_16_59_35.dmp
2009-04-01 16:53 . 2009-04-01 16:53 22,471 --a------ c:\windows\system32\AAWService_2009_04_01_16_53_26.dmp
2009-04-01 15:44 . 2009-04-01 15:44 22,471 --a------ c:\windows\system32\AAWService_2009_04_01_15_44_52.dmp
2009-04-01 15:17 . 2009-04-01 15:17 21,276 --a------ c:\windows\system32\AAWService_2009_04_01_15_17_34.dmp
2009-04-01 12:58 . 2009-04-01 12:58 22,951 --a------ c:\windows\system32\AAWService_2009_04_01_12_58_20.dmp
2009-04-01 12:37 . 2009-04-01 12:37 22,474 --a------ c:\windows\system32\AAWService_2009_04_01_12_37_58.dmp
2009-04-01 11:41 . 2009-04-01 11:41 <DIR> d-------- c:\program files\Viewpoint
2009-04-01 11:41 . 2009-04-03 15:49 <DIR> d-------- c:\documents and settings\Owner.YOUR-DEFFCD2501\Application Data\AOL
2009-04-01 11:25 . 2009-04-06 00:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-01 11:19 . 2009-04-01 11:23 <DIR> d-------- c:\documents and settings\Owner.YOUR-DEFFCD2501\Application Data\Lavasoft
2009-04-01 11:06 . 2009-04-01 11:06 <DIR> d-------- c:\documents and settings\Owner.YOUR-DEFFCD2501\Application Data\Antispyware
2009-04-01 11:05 . 2009-04-06 14:00 <DIR> d-------- C:\Louis
2009-03-31 21:29 . 2009-03-31 21:29 <DIR> d-------- C:\N360_BACKUP
2009-03-23 17:51 . 2009-03-23 17:51 <DIR> d-------- c:\program files\Norton Support
2009-03-23 17:48 . 2009-03-23 17:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-03-23 17:47 . 2009-03-23 17:47 <DIR> d-------- c:\program files\Symantec
2009-03-23 17:47 . 2009-03-23 17:47 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-23 17:47 . 2009-03-23 17:47 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2009-03-23 17:47 . 2009-03-23 17:46 36,400 -ra------ c:\windows\system32\drivers\SymIM.sys
2009-03-23 17:47 . 2009-03-23 17:47 7,386 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-23 17:47 . 2009-03-23 17:47 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-03-23 17:45 . 2009-03-23 17:45 <DIR> d-------- c:\windows\system32\drivers\N360
2009-03-23 17:44 . 2009-03-23 17:45 <DIR> d-------- c:\program files\Norton 360
2009-03-23 17:37 . 2009-03-23 17:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\PCSettings
2009-03-23 17:37 . 2009-03-23 17:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-03-23 17:36 . 2009-03-23 17:36 <DIR> d-------- c:\program files\NortonInstaller
2009-03-23 17:36 . 2009-03-23 17:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-23 16:31 . 2009-03-23 17:32 <DIR> d-------- c:\windows\LMI2E.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-06 04:08 --------- d-----w c:\program files\Lavasoft
2009-04-03 20:07 --------- d-----w c:\program files\Trend Micro
2009-04-03 20:00 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-04-03 19:51 --------- d-----w c:\program files\Pure Networks
2009-04-03 19:51 --------- d-----w c:\program files\Common Files\AOL
2009-04-01 15:41 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-01 15:36 --------- d-----w c:\program files\BigFix
2009-03-24 14:05 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-23 22:36 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-09 16:44 --------- d-----w c:\program files\Napster
2009-02-09 16:44 --------- d-----w c:\documents and settings\All Users\Application Data\Napster
2009-02-09 16:43 --------- d-----w c:\program files\My Memories Suite
2009-02-09 16:38 --------- d-----w c:\program files\Kodak
2009-02-09 16:38 --------- d-----w c:\documents and settings\All Users\Application Data\Kodak
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2008-10-10 01:55 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-12-20 00:25 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 00:25 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 00:25 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 00:25 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 00:25 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B} ----

2009-03-23 17:48 3654 --a------ c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}\x86\DIFxInstallLog.txt
2009-02-04 13:56 86376 --a------ c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}\x64\DifXInstall64.exe
2009-02-04 13:56 75112 --a------ c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}\x86\DifXInstall32.exe
2009-01-27 09:19 8308 --a------ c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}\x64\gearaspiwdmx64.cat
2009-01-27 09:19 7919 --a------ c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}\x86\gearaspiwdmx86.cat
2009-01-15 12:19 30760 --a------ c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}\x64\x64\GEARAspiWDM.sys
2009-01-15 12:19 23848 --a------ c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}\x86\x86\GEARAspiWDM.sys
2009-01-15 11:24 2763 --a------ c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}\x86\GEARAspiWDM.inf
2009-01-15 11:24 2763 --a------ c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}\x64\GEARAspiWDM.inf
2008-04-17 12:12 126312 --a------ c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}\x64\x64\GEARAspi64.dll
2008-04-17 12:12 107368 --a------ c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}\x86\x86\GEARAspi.dll
2008-04-17 12:12 107368 --a------ c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}\x64\x64\GEARAspi.dll
2006-11-02 06:22 525792 --a------ c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}\x64\DIFxAPI.dll
2006-11-02 06:21 319456 --a------ c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}\x86\DIFxAPI.dll

---- Directory of c:\windows\LMI2E.tmp ----

2009-03-23 17:26 324 --a------ c:\windows\LMI2E.tmp\rescue.log

---- Directory of c:\windows\SxsCaPendDel ----

((((((((((((((((((((((((((((( SnapShot@2009-04-05_13.45.47.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-05 17:59:31 220,672 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\9bea05938bee3555c5aa8763d89a68f9\CustomMarshalers.ni.dll
+ 2009-04-05 17:59:35 222,720 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\9b321ebf67587237f576df6104a32588\Microsoft.Build.Conversion.v3.5.ni.dll
+ 2009-04-05 17:59:43 839,680 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\96825c34d7e1f7df1923ff2123bed8da\Microsoft.Build.Engine.ni.dll
+ 2009-04-05 17:59:46 65,024 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\e9aba2eab90d647356f65e66053da02b\Microsoft.Build.Framework.ni.dll
+ 2009-04-05 18:00:47 1,966,080 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\a47100d8f4574bed2d49d83d0ab8964e\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2009-04-05 18:00:15 1,620,992 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\bd241492d96db39f20e758c13c845033\Microsoft.Build.Tasks.ni.dll
+ 2009-04-05 18:00:55 175,104 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\4217124db1ea5de5f1a1f3eea75e8d32\Microsoft.Build.Utilities.v3.5.ni.dll
+ 2009-04-05 18:00:53 144,384 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\55b9eff9e23359faed4351386c062238\Microsoft.Build.Utilities.ni.dll
+ 2009-04-05 18:18:04 2,332,160 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\b261961046545831aa60963e84905968\Microsoft.JScript.ni.dll
+ 2009-04-05 18:01:13 1,712,128 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\1c86afc399d0fdd8e069266ffbe748d1\Microsoft.VisualBasic.ni.dll
+ 2009-04-05 18:18:09 55,296 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\790cf1edb17ee41b59be62ecbd59613b\Microsoft.Vsa.ni.dll
+ 2009-04-05 18:01:21 82,944 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\597b20e1b053d6a510cfe033c07a63e6\System.AddIn.Contract.ni.dll
+ 2009-04-05 18:01:20 633,856 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\ce984d754e3c0b6be4504b785cc43574\System.AddIn.ni.dll
+ 2009-04-05 18:01:27 94,208 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\532438e2acfcadc469a4d468c51f8451\System.ComponentModel.DataAnnotations.ni.dll
+ 2009-04-05 18:17:51 141,312 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\de514e484e49b04b016949d57ffac03e\System.Configuration.Install.ni.dll
+ 2009-04-05 18:01:37 135,680 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\1db495ff00bbd14df4af6680c4de0653\System.Data.DataSetExtensions.ni.dll
+ 2009-04-05 18:16:31 756,736 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\392de34573f9f8ec885714f2f3e7f07f\System.Data.Entity.Design.ni.dll
+ 2009-04-05 18:16:15 9,924,096 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\6479f975b105808a8d9e7a7fdc762551\System.Data.Entity.ni.dll
+ 2009-04-05 18:17:14 354,816 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\1cf3acad6553d6c59df576794f4e8bd6\System.Data.Services.Design.ni.dll
+ 2009-04-05 18:17:10 939,008 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\a4b887f476fa4b8746a93a9fc2208560\System.Data.Services.Client.ni.dll
+ 2009-04-05 18:17:01 1,328,128 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\956a513dcbd44d5a6801840ef2b0b47b\System.Data.Services.ni.dll
+ 2009-04-05 18:17:22 1,801,216 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\a6b58624486714fa71e5e35186850ff0\System.Deployment.ni.dll
+ 2009-04-05 18:17:30 1,116,672 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\543aced762f6b0c3f8e037955941afc6\System.DirectoryServices.ni.dll
+ 2009-04-05 18:17:37 881,152 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\8b3bb7a2c2f3ffe94c866283f1cd5957\System.DirectoryServices.AccountManagement.ni.dll
+ 2009-04-05 18:17:40 455,680 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\c434a07332ce490711c27fd0edb7562f\System.DirectoryServices.Protocols.ni.dll
+ 2009-04-05 18:17:43 627,712 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\4267bd908175603006c6c90bb5d900c7\System.EnterpriseServices.ni.dll
+ 2009-04-05 18:17:43 280,064 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\4267bd908175603006c6c90bb5d900c7\System.EnterpriseServices.Wrapper.dll
+ 2009-04-05 18:17:49 330,752 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\1d3fbbd23ce1e8637ef4f40a8d23cd32\System.Management.Instrumentation.ni.dll
+ 2009-04-05 18:17:57 998,400 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\8642fdfbf02a6cb6f01169fe6fdb5d11\System.Management.ni.dll
+ 2009-04-05 18:18:13 621,056 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\519d9c618341b136f9b963ffb7495308\System.Net.ni.dll
+ 2009-04-05 18:17:54 311,296 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\bfd6e16d8c3589cd2bd3f8d46f0a5402\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2009-04-05 17:59:29 676,352 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\1c8df2da33222c048d683017f2095f04\System.Security.ni.dll
+ 2009-04-05 18:18:25 1,706,496 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\340cad17fe57947eacbc8fa2cea780da\System.ServiceModel.Web.ni.dll
+ 2009-04-05 18:18:29 212,992 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\ea3366939280c1715f1c620e33ee3c8a\System.ServiceProcess.ni.dll
+ 2009-04-05 18:18:32 627,200 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\5a555c9ae6984c40157cf940bb519f7c\System.Transactions.ni.dll
+ 2009-04-05 18:19:20 141,312 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\00ec08741a765c707bd9169346064a81\System.Web.Abstractions.ni.dll
+ 2009-04-05 18:19:40 36,864 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\19ca1747c1ea18a3b639b302bca8df93\System.Web.DynamicData.Design.ni.dll
+ 2009-04-05 18:19:37 547,328 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\b7891f5659db299dbd1b3c72db7edb9f\System.Web.DynamicData.ni.dll
+ 2009-04-05 18:19:47 301,056 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\d3d65e34fa60f0b6c72ca0d12ec89933\System.Web.Entity.Design.ni.dll
+ 2009-04-05 18:19:43 328,704 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\79c29ac85dd57dd485ab60118ac292ff\System.Web.Entity.ni.dll
+ 2009-04-05 18:19:53 859,648 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\58f62044fa702ea6f936071aa5520baa\System.Web.Extensions.Design.ni.dll
+ 2009-04-05 18:19:32 2,403,328 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\7f64c9d25471b72e1e957bdfe67947c8\System.Web.Extensions.ni.dll
+ 2009-04-05 18:20:02 2,209,280 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\81197e32ec931f439b3114e9031b65d6\System.Web.Mobile.ni.dll
+ 2009-04-05 18:20:08 202,240 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\6ee255220d90dcbe80c990e443051cc5\System.Web.RegularExpressions.ni.dll
+ 2009-04-05 18:19:23 129,536 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\bb77ea11f46ab438b2b7ed7c180011a1\System.Web.Routing.ni.dll
+ 2009-04-05 18:20:15 1,840,640 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\b57bb002a655920cbfa2bee29d1e22b7\System.Web.Services.ni.dll
+ 2009-04-05 18:19:05 11,796,992 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\3963ce03d445a8619abbf388d590134b\System.Web.ni.dll
+ 2009-04-05 18:20:40 37,888 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\423f794d1f4ed6e120fbb02e436491cb\System.Windows.Presentation.ni.dll
+ 2009-04-05 18:20:51 2,992,640 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\cc99fbbac0b6e4e9ca62093e49b0c16b\System.Workflow.Activities.ni.dll
+ 2009-04-05 18:21:10 4,514,304 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\693a8fbe6f7ad6e4e429052da4317e59\System.Workflow.ComponentModel.ni.dll
+ 2009-04-05 18:21:24 1,908,224 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\d265da36954fcb4cb7ad5adc693ea0f2\System.Workflow.Runtime.ni.dll
+ 2009-04-05 18:21:36 1,356,288 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\ac1750e78d79520dcf19195772eff1b6\System.WorkflowServices.ni.dll
+ 2009-04-05 18:21:41 400,896 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\c338a470b14851ce5987bb0f0869c310\System.Xml.Linq.ni.dll
- 2009-04-05 16:54:58 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-04-06 01:59:03 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-04-05 16:54:58 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-06 01:59:03 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-06 17:47:47 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_110.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-26 180269]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-10-09 29744]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 344064]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-10-02 67488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-11-27 2168360]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 6.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0300000.087\SymEFA.sys [2009-03-23 17:46:44 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0300000.087\BHDrvx86.sys [2009-03-23 17:46:43 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0300000.087\cchpx86.sys [2009-03-23 17:46:43 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090331.007\IDSXpx86.sys [2009-04-03 276344]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-10-02 124832]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe [2009-03-23 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-23 101936]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2006-11-27 200576]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2007-03-20 29744]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-04-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myspace.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner.YOUR-DEFFCD2501\Application Data\Mozilla\Firefox\Profiles\ulebasuh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-06 14:04:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.0.0.135\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1248)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-06 14:08:05
ComboFix-quarantined-files.txt 2009-04-06 18:06:48
ComboFix2.txt 2009-04-05 17:47:36

Pre-Run: 6,437,924,864 bytes free
Post-Run: 6,419,492,864 bytes free

285

Kaspersky:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, April 6, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, April 06, 2009 18:44:06
Records in database: 2018604
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 125492
Threat name: 6
Infected objects: 11
Suspicious objects: 0
Duration of the scan: 02:35:31

File name / Threat name / Threats count
C:\Documents and Settings\Owner.YOUR-DEFFCD2501\Incomplete\Preview-T-3545427-bam boo banga [cd rip].mp3 Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Documents and Settings\Owner.YOUR-DEFFCD2501\Shared\bam boo banga - greatest hits.mp3 Infected: Trojan-Downloader.WMA.GetCodec.n 1
C:\Documents and Settings\Owner.YOUR-DEFFCD2501\Shared\cash cash dynamite.mp3 Infected: Trojan-Downloader.WMA.GetCodec.n 1
C:\Documents and Settings\Owner.YOUR-DEFFCD2501\Shared\Miley Cyrus- Breakout.mp3 Infected: Trojan-Downloader.WMA.GetCodec.n 1
C:\Documents and Settings\Owner.YOUR-DEFFCD2501\Shared\zig zag hannah montana 2009.mp3 Infected: Trojan-Downloader.WMA.GetCodec.y 1
C:\Documents and Settings\Owner.YOUR-DEFFCD2501\Shared\zig zag miley cyrus.mp3 Infected: Trojan-Downloader.WMA.GetCodec.n 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACtghsuvjm.dll.vir Infected: Packed.Win32.Tdss.f 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP2\A0000157.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

The selected area was scanned.

Thanks ! - Louis

by **jmw3** » April 6th, 2009, 9:54 pm

Hi
Looking good.

Delete those mp3s that Kasperky flagged as they're infected:
C:\Documents and Settings\Owner.YOUR-DEFFCD2501\Incomplete\Preview-T-3545427-bam boo banga [cd rip].mp3
C:\Documents and Settings\Owner.YOUR-DEFFCD2501\Shared\bam boo banga - greatest hits.mp3
C:\Documents and Settings\Owner.YOUR-DEFFCD2501\Shared\cash cash dynamite.mp3
C:\Documents and Settings\Owner.YOUR-DEFFCD2501\Shared\Miley Cyrus- Breakout.mp3
C:\Documents and Settings\Owner.YOUR-DEFFCD2501\Shared\zig zag hannah montana 2009.mp3
C:\Documents and Settings\Owner.YOUR-DEFFCD2501\Shared\zig zag miley cyrus.mp3

The other files will be taken care of when we clean up.

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components :

Click Start, point to Settings, and then click Control Panel.
In Control Panel, double-click Add or Remove Programs.
In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.

How to prevent it from being recreated every time you run the AOL software:
- Open AOL
- Go to Help on the toolbar
- Select About AOL
- Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.

Update Adobe Reader
Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version: Adobe Reader 9.1
You can download it from http://www.adobe.com/products/acrobat/readstep2.html
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed Uncheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Adobe 9 is a large program and if you prefer a smaller program you can get Foxit 3 instead from http://www.foxitsoftware.com/pdf/rd_intro.php

Clean Up
Now we need to clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
Remove Combofix
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /u
OTCleanIt
Download OTCleanIt here & save it to your desktop.
Double click on OTCleanIt.exe. Click on CleanUp!.
You will receive a prompt that it needs to restart the computer to remove the files. Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.
Delete the following from your desktop:
DDS.scr
You can either delete or keep ATF-Cleaner. It's a handy tool for cleaning out your temporary folders.

Any problems?

by **lhanna** » April 7th, 2009, 2:21 pm

Hi,

No problems with the removal instructions. I've updated Adobe and yanked Viewpoint. Is it okay for me to run Kaspersky again ?

Thanks !

Louis

by **jmw3** » April 7th, 2009, 8:20 pm

Hi
You can run the Kaspersky scan again if you like.

All Clean
Congratulations, good work, your system is now clean. Now that your system is safe we would like you to keep it that way.
Take the time to follow these instructions and it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates

Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is totally free but for real-time protection you will have to pay a small one-time fee.
You can download it here & find a tutorial here.

SpywareBlaster
Download and install Javacools SpywareBlaster from here
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.

Download BlueTack's HOSTS Manager here, using Internet Explorer (Firefox won't work):

Double click the Installer on your desktop and let it Install the Hosts Manager
After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the other Hosts Switch icon from your desktop)
When the Hosts Manager comes up, click the small down arrows on the right side of the bar labeled Options and Tools,
Click Disable DNS Service. This is important
In the Left Pane, click Download
It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then click Save

You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.
If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

Install WinPatrol
Download it here
You can find information about how WinPatrol works here

Read some information here on how to prevent Malware.

Hopefully these steps will help keep your computer clean.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

If there are any other questions then feel free to ask or in future do not hesitate to contact us here at The Malware Removal Forums

by **lhanna** » April 8th, 2009, 12:34 pm

Hi,

I reran Kaspersky last night and it showed all clear. I ran a full scan with Norton 360 this morning and it flagged 3 items. The first to identified two additional MP3s which I manually removed (using Norton) without problem. The third is the original Trojan.Metajuan instance in globalroot\systemroot\system32\uactghsuvjm.dll. I went to directory C:\Windows\System32\ but did not see a file called uactghsuvjm.dll. Manual remove using Norton fails and I can't seem to get Norton over this issue. Am I now dealing with a product issue or is it possible that some sort of trace of Trojan.Metajuan still exists ?

Thanks !

Louis

by **jmw3** » April 8th, 2009, 1:10 pm

Hi
That file was taken out in the first round of Combofix:
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\FunWebProducts
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\windows\system32\drivers\UACrvqlahky.sys
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\UACebwvkvpp.log
c:\windows\system32\UACeykkejfq.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjwejjddy.dat
c:\windows\system32\UACkrcsxcqe.dll
c:\windows\system32\UACmnactako.log
c:\windows\system32\UACninqpxig.log
c:\windows\system32\UACotodjvyj.dll
c:\windows\system32\UACtghsuvjm.dll
c:\windows\system32\UACyjnlpuce.dll
D:\Autorun.inf

My guess is a left over registry entry, but to be sure let's have look with this:
RootRepeal
Download RootRepeal.zip from here & unzip it to your Desktop.

Double click RootRepeal.exe to start the program
Click the Report tab at the bottom of the program window
Click the Scan button
In the Select Scan dialog, check:
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan

Note: The scan can take some time. DO NOT run any other programs while the scan is running

When the scan is complete, the Save Report button will become available
Click this and save the report to your Desktop as RootRepeal.txt
Go to File then Exit to close the program

Post the contents of the log in your next reply.

by **lhanna** » April 8th, 2009, 2:12 pm

Hi,

RootRepeal:

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/04/08 13:53
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF0770000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A82000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEE3A8000 Size: 45056 File Visible: No
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF7259000 Size: 323584 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\Prefetch\VERCLSID.EXE-3667BD89.pf
Status: Size mismatch (API: 18500, Raw: 19878)

Path: C:\WINDOWS\system32\wbem\Logs\wbemcore.log
Status: Size mismatch (API: 58800, Raw: 58710)

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x85de3158

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x850e6218

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x85fbc8b8

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x86155e70

Thanks !

Louis

by **jmw3** » April 8th, 2009, 3:57 pm

Hi

Nothing showing in RootRepeal log. Only other reference to that entry being flagged is in the Gmer log you provided earlier:
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACtghsuvjm.dll
The only ControlSet of concern is the CurrentControlSet. Note that this entry is in ControlSet002, which means it's the Last Known Good Configuration. If it is the LKGC & you use that it's harmless as the files it references no longer exist. LKGC should be over written with each successful boot. Have you tried rebooting your computer then see if Norton flags it?

Free Malware Removal Forum

Can't remove virus detected by Norton 360 and Ad-Aware AE

Can't remove virus detected by Norton 360 and Ad-Aware AE

Re: Can't remove virus detected by Norton 360 and Ad-Aware AE

Re: Can't remove virus detected by Norton 360 and Ad-Aware AE

Re: Can't remove virus detected by Norton 360 and Ad-Aware AE

Re: Can't remove virus detected by Norton 360 and Ad-Aware AE

Re: Can't remove virus detected by Norton 360 and Ad-Aware AE

Re: Can't remove virus detected by Norton 360 and Ad-Aware AE

Re: Can't remove virus detected by Norton 360 and Ad-Aware AE

Re: Can't remove virus detected by Norton 360 and Ad-Aware AE

Re: Can't remove virus detected by Norton 360 and Ad-Aware AE

Re: Can't remove virus detected by Norton 360 and Ad-Aware AE

Re: Can't remove virus detected by Norton 360 and Ad-Aware AE

Re: Can't remove virus detected by Norton 360 and Ad-Aware AE

Re: Can't remove virus detected by Norton 360 and Ad-Aware AE

Re: Can't remove virus detected by Norton 360 and Ad-Aware AE

Who is online