iexplore.exe - Application Error

[danldo]

I XP SP2 running IE8. Everytime I try to open Internet explore I get and error message iexplore.exe - Application Error The instruction at "0xd5584b4a" referenced memory at "0xd5584b4a". The memory could not be "read".
I have scaned with malwarbytes and it found 3 infected files and removed them. I have tried disabling ie add ons, but it still does not work.
I booted in safe mode with networking and Internet Explore works.
I rebooted and here is my Hijackthis log.
Any help please.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:19 AM, on 8/19/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\WinVNC\winvnc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe   /brand=ESPN   /priority=0   /poll=24
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DRGOMEZ.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = DRGOMEZ.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DRGOMEZ.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bsarad.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bsarad.com
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1ca3ddbc0872076) (gupdate1ca3ddbc0872076) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\winvnc.exe

--
End of file - 10269 bytes

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.
********************************************
Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
*****************************************

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
*******************************************

Download ComboFix by sUBs from one of the below links. 

Important! You MUST save ComboFix to your desktop

link # 1
Link # 2

Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click on ComboFix.exe & follow the prompts.

Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.
 
Post the contents of that log in your next reply.

Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.

[danldo]

I did the scans but it is not working.
Here are the logs.
Thank you so much.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/23/2010 at 10:42 AM

Application Version : 4.41.1000

Core Rules Database Version : 5393
Trace Rules Database Version: 3205

Scan type       : Complete Scan
Total Scan Time : 00:52:18

Memory items scanned      : 292
Memory threats detected   : 0
Registry items scanned    : 7132
Registry threats detected : 0
File items scanned        : 73162
File threats detected     : 242

Adware.Tracking Cookie
   C:\Documents and Settings\egomez.DRGOMEZ\Cookies\[email protected][2].txt
   C:\Documents and Settings\egomez.DRGOMEZ\Cookies\[email protected][1].txt
   C:\Documents and Settings\egomez.DRGOMEZ\Cookies\egomez@mediaplex[1].txt
   C:\Documents and Settings\egomez.DRGOMEZ\Cookies\egomez@atdmt[1].txt
   C:\Documents and Settings\egomez.DRGOMEZ\Cookies\egomez@collective-media[1].txt
   C:\Documents and Settings\egomez.DRGOMEZ\Cookies\egomez@serving-sys[1].txt
   C:\Documents and Settings\egomez.DRGOMEZ\Cookies\egomez@revsci[1].txt
   C:\Documents and Settings\egomez.DRGOMEZ\Cookies\egomez@doubleclick[1].txt
   C:\Documents and Settings\egomez.DRGOMEZ\Cookies\egomez@apmebf[1].txt
   C:\Documents and Settings\egomez.DRGOMEZ\Cookies\egomez@tribalfusion[2].txt
   C:\Documents and Settings\egomez.DRGOMEZ\Cookies\[email protected][2].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
   C:\Documents and Settings\administrator.DRGOMEZ\Cookies\administrator@atdmt[2].txt
   C:\Documents and Settings\administrator.DRGOMEZ\Cookies\administrator@doubleclick[1].txt
   C:\Documents and Settings\administrator.DRGOMEZ\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator.DRGOMEZ.000\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator.DRGOMEZ.000\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator.DRGOMEZ.000\Cookies\[email protected][2].txt
   C:\Documents and Settings\Administrator.DRGOMEZ.000\Cookies\administrator@atdmt[2].txt
   C:\Documents and Settings\Administrator.DRGOMEZ.000\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator.DRGOMEZ.000\Cookies\administrator@doubleclick[2].txt
   C:\Documents and Settings\Administrator.DRGOMEZ.000\Cookies\administrator@questionmarket[1].txt
   C:\Documents and Settings\Administrator.DRGOMEZ.000\Cookies\administrator@zedo[1].txt
   C:\Documents and Settings\Dr Gomez\Cookies\dr [email protected][1].txt
   C:\Documents and Settings\Dr Gomez\Cookies\dr gomez@atdmt[1].txt
   C:\Documents and Settings\EGOMEZ\Cookies\[email protected][1].txt
   C:\Documents and Settings\EGOMEZ\Cookies\egomez@atdmt[2].txt
   C:\Documents and Settings\EGOMEZ\Cookies\egomez@casalemedia[2].txt
   C:\Documents and Settings\EGOMEZ\Cookies\[email protected][1].txt
   .atdmt.com [ C:\Documents and Settings\egomez.DRGOMEZ\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
   .atdmt.com [ C:\Documents and Settings\egomez.DRGOMEZ\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
   .microsoftwindows.112.2o7.net [ C:\Documents and Settings\egomez.DRGOMEZ\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
   .interclick.com [ C:\Documents and Settings\egomez.DRGOMEZ\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
   .media6degrees.com [ C:\Documents and Settings\egomez.DRGOMEZ\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
   .fastclick.net [ C:\Documents and Settings\egomez.DRGOMEZ\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
   ad.yieldmanager.com [ C:\Documents and Settings\egomez.DRGOMEZ\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
   .interclick.com [ C:\Documents and Settings\egomez.DRGOMEZ\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
   .doubleclick.net [ C:\Documents and Settings\egomez.DRGOMEZ\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
   .atdmt.com [ C:\Documents and Settings\egomez.DRGOMEZ\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
   .interclick.com [ C:\Documents and Settings\egomez.DRGOMEZ\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
   .tribalfusion.com [ C:\Documents and Settings\egomez.DRGOMEZ\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
   .fastclick.net [ C:\Documents and Settings\egomez.DRGOMEZ\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
   .fastclick.net [ C:\Documents and Settings\egomez.DRGOMEZ\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
   .media6degrees.com [ C:\Documents and Settings\egomez.DRGOMEZ\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
   .media6degrees.com [ C:\Documents and Settings\egomez.DRGOMEZ\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
   .media6degrees.com [ C:\Documents and Settings\egomez.DRGOMEZ\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
   .media6degrees.com [ C:\Documents and Settings\egomez.DRGOMEZ\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
   .apmebf.com [ C:\Documents and Settings\egomez.DRGOMEZ\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
   ad.yieldmanager.com [ C:\Documents and Settings\egomez.DRGOMEZ\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
   macromedia.com [ C:\Documents and Settings\Eric Gomez\Application Data\Macromedia\Flash Player\#SharedObjects\86NJP8JY ]
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@123count[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@247realmedia[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@2o7[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@adknowledge[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@admarketplace[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@adrevolver[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@adrevolver[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@adsrevenue[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@adtrak[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@advertising[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@apmebf[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@atdmt[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@atwola[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@azjmp[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@bakermedia[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@banner[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@belnk[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@bfast[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@bigbanners[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@bluestreak[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@bravenet[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@burstnet[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@casalemedia[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@cassava[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@clickability[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@clickagents[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@clicksor[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@commission-junction[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@countercentral[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@dhdmedia[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@doubleclick[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@fastclick[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@femalestars[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@fortunecity[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@gostats[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@hitbox[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@indextools[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@inet-traffic[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@insightexpressai[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@interclick[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@maxserving[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@mediaplex[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@nextag[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@nowthatsfuckedup[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@overture[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@partner2profit[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@partypoker[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@paycounter[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@php_myvisites_stats[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@primediamags[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@qksrv[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@qnsr[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@questionmarket[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@realmedia[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@revenue[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@revsci[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@roiservice[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@serving-sys[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@sextracker[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@statcounter[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@stats[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@tacoda[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@targetnet[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@tracking[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@tradedoubler[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@trafficmp[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@tribalfusion[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@tripod[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@valueclick[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@webpower[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@windowsmedia[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@winfixer[2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][2].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@xiti[1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric [email protected][1].txt
   C:\Documents and Settings\Eric Gomez\Cookies\eric gomez@zedo[2].txt
   C:\Documents and Settings\jtorrez.DRGOMEZ\Cookies\[email protected][1].txt
   C:\Documents and Settings\jtorrez.DRGOMEZ\Cookies\[email protected][1].txt
   C:\Documents and Settings\jtorrez.DRGOMEZ\Cookies\[email protected][1].txt
   C:\Documents and Settings\jtorrez.DRGOMEZ\Cookies\[email protected][2].txt
   C:\Documents and Settings\jtorrez.DRGOMEZ\Cookies\jtorrez@atdmt[1].txt
   C:\Documents and Settings\jtorrez.DRGOMEZ\Cookies\jtorrez@belnk[1].txt
   C:\Documents and Settings\jtorrez.DRGOMEZ\Cookies\jtorrez@casalemedia[1].txt
   C:\Documents and Settings\jtorrez.DRGOMEZ\Cookies\[email protected][2].txt
   C:\Documents and Settings\jtorrez.DRGOMEZ\Cookies\jtorrez@doubleclick[1].txt
   C:\Documents and Settings\jtorrez.DRGOMEZ\Cookies\jtorrez@mediaplex[1].txt
   C:\Documents and Settings\jtorrez.DRGOMEZ\Cookies\jtorrez@partner2profit[2].txt
   C:\Documents and Settings\jtorrez.DRGOMEZ\Cookies\jtorrez@questionmarket[2].txt
   C:\Documents and Settings\lflores\Cookies\[email protected][1].txt
   C:\Documents and Settings\lflores\Cookies\lflores@atdmt[1].txt
   C:\Documents and Settings\lflores\Cookies\lflores@clickbank[1].txt


ComboFix 10-08-22.07 - egomez 08/23/2010  11:35:48.1.2 - x86 NETWORK
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1014.800 [GMT -5:00]
Running from: c:\documents and settings\egomez.DRGOMEZ\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\~WRD0713.tmp
c:\documents and settings\egomez.DRGOMEZ\Application Data\Edcai
c:\documents and settings\egomez.DRGOMEZ\Application Data\Edcai\ryope.ezy
c:\documents and settings\egomez.DRGOMEZ\Application Data\Edcai\ryope.tmp
c:\documents and settings\egomez.DRGOMEZ\Application Data\Epemeg
c:\documents and settings\egomez.DRGOMEZ\Application Data\Epemeg\ynoq.exe
c:\documents and settings\egomez.DRGOMEZ\g2mdlhlpx.exe
c:\documents and settings\egomez.DRGOMEZ\Local Settings\Application Data\Windows Server
c:\documents and settings\egomez.DRGOMEZ\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\egomez.DRGOMEZ\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\egomez.DRGOMEZ\Local Settings\Application Data\Windows Server\uses32.dat
C:\Images
c:\images\DirCfg.ini
c:\windows\system32\drivers\fad.sys

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
(((((((((((((((((((((((((   Files Created from 2010-07-23 to 2010-08-23  )))))))))))))))))))))))))))))))
.

2010-08-23 14:45 . 2010-08-23 14:45   63488   ----a-w-   c:\documents and settings\egomez.DRGOMEZ\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-23 14:45 . 2010-08-23 14:45   52224   ----a-w-   c:\documents and settings\egomez.DRGOMEZ\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-23 14:45 . 2010-08-23 14:45   117760   ----a-w-   c:\documents and settings\egomez.DRGOMEZ\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-23 14:44 . 2010-08-23 14:44   --------   d-----w-   c:\documents and settings\egomez.DRGOMEZ\Application Data\SUPERAntiSpyware.com
2010-08-23 14:44 . 2010-08-23 14:44   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-08-23 14:43 . 2010-08-23 14:44   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-08-23 12:41 . 2010-08-23 12:41   --------   d-----w-   c:\documents and settings\egomez.DRGOMEZ\Local Settings\Application Data\Identities
2010-08-19 15:31 . 2010-08-19 15:31   --------   d-----w-   c:\program files\Trend Micro
2010-08-18 21:19 . 2010-08-18 21:19   --------   d-----w-   c:\windows\system32\wbem\Repository
2010-08-18 21:09 . 2010-08-18 21:09   --------   d-sh--w-   c:\documents and settings\egomez.DRGOMEZ\IECompatCache
2010-08-18 20:42 . 2010-08-18 20:42   --------   d-----w-   C:\QUARANTINE
2010-08-16 18:01 . 2005-09-17 18:32   745752   ----a-w-   c:\windows\system32\wodSmtp.dll
2010-08-16 18:01 . 2004-05-19 15:22   114688   ----a-w-   c:\windows\system32\DARTUTIL.DLL
2010-08-10 22:33 . 2010-08-10 22:33   --------   d-----w-   c:\program files\PMIC EBOOKS

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-23 16:00 . 2005-09-07 23:15   --------   d-----w-   c:\documents and settings\All Users\Application Data\DIGStream
2010-08-23 12:23 . 2009-12-14 13:25   --------   d-----w-   c:\documents and settings\egomez.DRGOMEZ\Application Data\HPAppData
2010-08-20 13:05 . 2010-08-20 12:57   161   ----a-w-   c:\windows\Temp.tmp
2010-08-19 15:17 . 2010-08-18 21:27   --------   d-----w-   c:\program files\CCleaner
2010-08-18 22:04 . 2009-12-11 20:39   --------   d-----w-   c:\program files\Yahoo!
2010-08-18 21:29 . 2010-08-18 21:29   --------   d-----w-   c:\documents and settings\egomez.DRGOMEZ\Application Data\Malwarebytes
2010-08-18 21:29 . 2010-08-18 21:29   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-08-18 21:29 . 2010-08-18 21:29   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-12 13:16 . 2005-04-28 18:45   34816   ----a-w-   c:\program files\db_list.dbp
2010-07-06 14:36 . 2006-06-24 01:31   65912   ----a-w-   c:\documents and settings\egomez.DRGOMEZ\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-23 12:16 . 2010-06-23 12:16   501936   ----a-w-   c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb166.tmp.exe
2010-06-14 13:42 . 2010-06-14 13:10   77383   ----a-w-   c:\windows\hpqins05.dat
2005-06-28 16:50 . 2005-06-28 16:50   6144   ----a-w-   c:\program files\DB_LIST_HISTORY.DBP
.

------- Sigcheck -------

[-] 2004-08-04 . D3408C4FCC614A70F1CB3691C7DDF792 . 502272 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\winlogon.exe

[-] 2004-08-04 . 9982618CEB1D8DAE75B4AD913A99A3EB . 1032192 . . [6.00.2900.2180] . . c:\windows\explorer.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-19 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-17 148888]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"SMSERIAL"="sm56hlpr.exe" [2004-07-19 565248]
"DIGStream"="c:\program files\DIGStream\digstream.exe" [2005-05-18 282624]
"DIGServices"="c:\program files\ESPNRunTime\DIGServices.exe" [2005-05-19 101888]
"WinVNC"="c:\program files\RealVNC\WinVNC\winvnc.exe" [2003-03-05 335872]
"Lexmark 4200 Series"="c:\program files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 57344]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-23 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-5-11 738968]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-7-28 1450047]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2006-10-23 07:48   40048   ----a-w-   c:\program files\Adobe\Reader 8.0\Reader\Reader_SL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-04-13 07:29   47392   ----a-w-   c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-04-26 13:04   53248   ------w-   c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 20:06   142120   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-10-19 12:31   68856   ----a-w-   c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-08 13:19   202256   ----a-w-   c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 06:01   110592   ----a-w-   c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\SYSTEM32\DRIVERS\mvstdi5x.sys [6/23/2006 9:04 PM 58048]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
S2 gupdate1ca3ddbc0872076;Google Update Service (gupdate1ca3ddbc0872076);c:\program files\Google\Update\GoogleUpdate.exe [9/25/2009 7:28 AM 133104]
S2 MLPTDR_B;MLPTDR_B;c:\windows\SYSTEM32\MLPTDR_B.SYS [9/2/2003 4:06 PM 20064]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [8/2/2005 4:10 PM 32512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
HPService   REG_MULTI_SZ      HPSLPSVC
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-08-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-25 12:28]

2010-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-25 12:28]

2010-08-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3914068558-821231906-3718164370-1111.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]

2010-08-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3914068558-821231906-3718164370-1111.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]

2010-08-23 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]

2010-08-19 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-23 11:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(964)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2010-08-23  11:42:34
ComboFix-quarantined-files.txt  2010-08-23 16:42

Pre-Run: 26,359,615,488 bytes free
Post-Run: 26,484,244,480 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 755593661242EDB306C8FDAF653FAA52

[SuperDave]

Re-running ComboFix to remove infections:

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the quotebox below into it:
  

  KillAll::
  
  Dirlook::
  C:\QUARANTINE
  
  File::
  c:\windows\Temp.tmp
  
  Rootkit::
  
  FileLook::
  c:\windows\explorer.exe
  
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

***********************************

[danldo]

Here is my log.
The only way ComboFix will work is in Safe Mode.
I tried it normal and I get a Stop: C000021a {Fatal System Error}
It runs in safe mode and here is the log.
Thank you.

ComboFix 10-08-23.01 - egomez 08/23/2010  17:10:01.2.2 - x86 NETWORK
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1014.706 [GMT -5:00]
Running from: c:\documents and settings\egomez.DRGOMEZ\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\egomez.DRGOMEZ\Desktop\CFScript.txt

FILE ::
"c:\windows\Temp.tmp"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Temp.tmp

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\i386\WINLOGON.EXE

c:\windows\explorer.exe . . . is infected!!

.
(((((((((((((((((((((((((   Files Created from 2010-07-23 to 2010-08-23  )))))))))))))))))))))))))))))))
.

2010-08-23 14:45 . 2010-08-23 14:45   63488   ----a-w-   c:\documents and settings\egomez.DRGOMEZ\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-23 14:45 . 2010-08-23 14:45   52224   ----a-w-   c:\documents and settings\egomez.DRGOMEZ\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-23 14:45 . 2010-08-23 14:45   117760   ----a-w-   c:\documents and settings\egomez.DRGOMEZ\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-23 14:44 . 2010-08-23 14:44   --------   d-----w-   c:\documents and settings\egomez.DRGOMEZ\Application Data\SUPERAntiSpyware.com
2010-08-23 14:44 . 2010-08-23 14:44   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-08-23 14:43 . 2010-08-23 14:44   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-08-23 12:41 . 2010-08-23 12:41   --------   d-----w-   c:\documents and settings\egomez.DRGOMEZ\Local Settings\Application Data\Identities
2010-08-19 15:31 . 2010-08-19 15:31   --------   d-----w-   c:\program files\Trend Micro
2010-08-18 21:19 . 2010-08-18 21:19   --------   d-----w-   c:\windows\system32\wbem\Repository
2010-08-18 21:09 . 2010-08-18 21:09   --------   d-sh--w-   c:\documents and settings\egomez.DRGOMEZ\IECompatCache
2010-08-18 20:42 . 2010-08-23 16:56   --------   d-----w-   C:\QUARANTINE
2010-08-16 18:01 . 2005-09-17 18:32   745752   ----a-w-   c:\windows\system32\wodSmtp.dll
2010-08-16 18:01 . 2004-05-19 15:22   114688   ----a-w-   c:\windows\system32\DARTUTIL.DLL
2010-08-10 22:33 . 2010-08-10 22:33   --------   d-----w-   c:\program files\PMIC EBOOKS

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-23 22:19 . 2005-09-07 23:15   --------   d-----w-   c:\documents and settings\All Users\Application Data\DIGStream
2010-08-23 19:18 . 2009-12-14 13:25   --------   d-----w-   c:\documents and settings\egomez.DRGOMEZ\Application Data\HPAppData
2010-08-19 15:17 . 2010-08-18 21:27   --------   d-----w-   c:\program files\CCleaner
2010-08-18 22:04 . 2009-12-11 20:39   --------   d-----w-   c:\program files\Yahoo!
2010-08-18 21:29 . 2010-08-18 21:29   --------   d-----w-   c:\documents and settings\egomez.DRGOMEZ\Application Data\Malwarebytes
2010-08-18 21:29 . 2010-08-18 21:29   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-08-18 21:29 . 2010-08-18 21:29   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-12 13:16 . 2005-04-28 18:45   34816   ----a-w-   c:\program files\db_list.dbp
2010-07-06 14:36 . 2006-06-24 01:31   65912   ----a-w-   c:\documents and settings\egomez.DRGOMEZ\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-23 12:16 . 2010-06-23 12:16   501936   ----a-w-   c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb166.tmp.exe
2010-06-14 13:42 . 2010-06-14 13:10   77383   ----a-w-   c:\windows\hpqins05.dat
2005-06-28 16:50 . 2005-06-28 16:50   6144   ----a-w-   c:\program files\DB_LIST_HISTORY.DBP
.

((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\explorer.exe ---
Company: Microsoft Corporation
File Description: Windows Explorer
File Version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: EXPLORER.EXE
File size: 1032192
Created time: 2004-08-04 10:00
Modified time: 2004-08-04 10:00
MD5: 9982618CEB1D8DAE75B4AD913A99A3EB
SHA1: C105ED32D6A542C4D5CD3C5C5933DE50E4214FE D

---- Directory of C:\QUARANTINE ----

2010-08-23 16:56 . 2010-08-23 16:56   93   ----a-w-   c:\quarantine\infected.log
2010-08-23 16:56 . 2010-08-23 16:56   72   ----a-w-   c:\quarantine\Av-test.txt.Vir


------- Sigcheck -------

[-] 2004-08-04 . 24E8C39B3E1EF32FB6C8703EF752AC74 . 502272 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\winlogon.exe

[-] 2004-08-04 . 9982618CEB1D8DAE75B4AD913A99A3EB . 1032192 . . [6.00.2900.2180] . . c:\windows\explorer.exe
.
(((((((((((((((((((((((((((((   SnapShot@2010-08-23_17.59.51   )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-23 22:16 . 2010-08-23 22:16   16384              c:\windows\temp\Perflib_Perfdata_4f4.dat
+ 2010-08-23 22:16 . 2010-08-23 22:16   16384              c:\windows\temp\Perflib_Perfdata_33c.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-19 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-17 148888]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"SMSERIAL"="sm56hlpr.exe" [2004-07-19 565248]
"DIGStream"="c:\program files\DIGStream\digstream.exe" [2005-05-18 282624]
"DIGServices"="c:\program files\ESPNRunTime\DIGServices.exe" [2005-05-19 101888]
"WinVNC"="c:\program files\RealVNC\WinVNC\winvnc.exe" [2003-03-05 335872]
"Lexmark 4200 Series"="c:\program files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 57344]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-23 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-5-11 738968]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-7-28 1450047]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2006-10-23 07:48   40048   ----a-w-   c:\program files\Adobe\Reader 8.0\Reader\Reader_SL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-04-13 07:29   47392   ----a-w-   c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-04-26 13:04   53248   ------w-   c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 20:06   142120   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-10-19 12:31   68856   ----a-w-   c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-08 13:19   202256   ----a-w-   c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 06:01   110592   ----a-w-   c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\SYSTEM32\DRIVERS\mvstdi5x.sys [6/23/2006 9:04 PM 58048]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 MLPTDR_B;MLPTDR_B;c:\windows\SYSTEM32\MLPTDR_B.SYS [9/2/2003 4:06 PM 20064]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [8/2/2005 4:10 PM 32512]
S2 gupdate1ca3ddbc0872076;Google Update Service (gupdate1ca3ddbc0872076);c:\program files\Google\Update\GoogleUpdate.exe [9/25/2009 7:28 AM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
HPService   REG_MULTI_SZ      HPSLPSVC
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-08-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-25 12:28]

2010-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-25 12:28]

2010-08-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3914068558-821231906-3718164370-1111.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]

2010-08-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3914068558-821231906-3718164370-1111.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]

2010-08-23 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]

2010-08-19 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-23 17:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1064)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(1120)
c:\windows\system32\EntApi.dll

- - - - - - - > 'explorer.exe'(3920)
c:\windows\system32\EntApi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\basfipm.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Dell\OpenManage\Client\Iap.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\program files\Lexmark 4200 Series\lxbmbmon.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2010-08-23  17:24:36 - machine was rebooted
ComboFix-quarantined-files.txt  2010-08-23 22:24
ComboFix2.txt  2010-08-23 18:04
ComboFix3.txt  2010-08-23 16:42

Pre-Run: 26,465,378,304 bytes free
Post-Run: 26,455,195,648 bytes free

- - End Of File - - 87C7794D2DF32297D546B8ECE98FADAC

[SuperDave]

Registry cleaners (RegCure) are extremely powerful applications and their potential for harming your OS far outweighs any small potential for improving your computer's performance.

There are a number of them available and some are more safe than others. Keep in mind that no two registry cleaners work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad" entry. One cleaner may find entries on your system that will not cause a problem when removed, another may not find the same entries, and still another may want to remove entries required for a program to work. Without research into what the registry entry selected for deletion is, a registry cleaner can end up being an automated method to cause problems with the registry.

For routine use by those not familiar with the registry, the benefits to your computer are negligible while the potential risks are great.

Further reading: XP Fixes Myth #1: Registry Cleaners

******************************************

Please download SystemLook from one of the links below and save it to your desktop.

Link # 1
Link # 2

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double-click SystemLook.exe to run it.

Copy the contents of the following codebox into the main textfield.

Code: [Select]

:filefind
explorer.exe
Click the Look button to start the scan.

Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).

When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled SystemLook.txt
 

[danldo]

Here is my log.
Thank you

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 08:41 on 24/08/2010 by egomez (Administrator - Elevation successful)

========== filefind ==========

Searching for "explorer.exe"
C:\WINDOWS\explorer.exe   --a--- 1032192 bytes   [10:00 04/08/2004]   [10:00 04/08/2004] 9982618CEB1D8DAE75B4AD913A99A3EB

-=End Of File=-

[SuperDave]

That doesn't look good. Do you have your OS CD?

[danldo]

Yes, I do.

[SuperDave]

Place the OS CD  in your CD ROM drive and follow the instructions below:
•Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
*Let this run undisturbed until the window with the blue  progress bar goes away
SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.
Please let me know what happens.

[danldo]

I ran SFC and it ran fine.
Internet Explore still does not work.
I ran the SystemLook again and here is the log.
Thank you,

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 10:12 on 25/08/2010 by egomez (Administrator - Elevation successful)

========== filefind ==========

Searching for "explorer.exe"
C:\WINDOWS\explorer.exe   --a--- 1032192 bytes   [10:00 04/08/2004]   [10:00 04/08/2004] A06B61E9E26A31E18D5E5412BAFC2467
C:\WINDOWS\SYSTEM32\DLLCACHE\explorer.exe   --a--- 1032192 bytes   [10:00 04/08/2004]   [10:00 04/08/2004] A06B61E9E26A31E18D5E5412BAFC2467

-=End Of File=-

[SuperDave]

Ok. That's great. Let's try this to get that file cleaned.

Re-running ComboFix to remove infections:

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the quotebox below into it:
  

  KillAll::
  
  FCopy::
  C:\WINDOWS\SYSTEM32\DLLCACHE\explorer.exe | c:\windows\explorer.exe 
  
  Folder::
  C:\QUARANTINE
  
  Rootkit::
  
  
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

[danldo]

Everytime I drag the CFScript into the Combo Fix it starts and the it stops after "This typically doesn't take more that 10 minutes however, scantimes for badly infected machines may easily double."
It does nothing after this. I let it run over 25 minutes and nothing.

[SuperDave]

Ok. We'll try to do it without ComboFix.

Go to Start > Run > type Notepad.exe and click OK to open Notepad.

Copy all of the text in the below Code box into Notepad.

Code: [Select]

@echo off
copy C:\WINDOWS\SYSTEM32\DLLCACHE\explorer.exe c:\windows\explorer.exe 

del C:\QUARANTINE
del event.bat
exit
In Notepad go to File > Save as, choose to save it to your desktop and name it event.bat

Now double click the event.bat file you just created and let it finish.

You will know it's finished when there is a new file on your desktop.
*************************************

Now, please try to run another scan with ComboFix.

[danldo]

After creating the event.bat and save
I double click on it and I get a command window with the following:
The system cannot find the file specified.
C:\QUARANTINE\*, Are you sure (Y/N)?
If I press Y the window goes away and no other files show up.