Author Topic: Don't Know What to Do Anymore... >:C (Read 20730 times)

rawrr · « **on:** March 02, 2010, 07:08:15 PM »

I have a XP Dell Inspiron 1525 and it has had many viruses in the past. We've gotten it fixed before but now it has another virus and my mom refuses to pay to get it fixed again.

It started with XP Internet Security 2010, which i had gotten before. Last time i removed it with Malwarebytes' Anit-Malware but then every time i went to open a program i had to right click and press start. Anyway, it happened again and Symantec Endpoint Protection kept detecting a file called Win32.UnRuy.A, which i quarantined and then deleted twice because it kept detecting it. Then i tried to manually remove the Internet Security but i wasn't allowed in the registry. So i looked up how to do THAT and nothing i tried worked. One of the things i did was i made the exefix.reg to follow some steps that i can't remember (sorry) and another is i tried the regtools.vbs action to enabled the registry Editor. So eventually i got the Malwarebytes again and started a scan, but it was very late at night so i had to stop it and tried to delete what it had found so far. It found infected registry files and it told me that it would enable the registry editor to get rid of them. As soon as i clicked ok on that, the window comes up again saying that the registry editor has been disabled by administrator. THEN, Symantec pops up showing 5 infected files, one of them being the .exe file for Malwarebytes! Oh, and i also couldn't open Internet Explorer without it opening 20 million windows, freezing, and then closing all of them; but i could get online with Safari. It had shut off multiple times in between some of these things, probably from overheating. So now i got HijackThis but I didn't know what to do with it... and now i can get on Internet Explorer but not on Safari or Google Chrome. When i type in regedit in the command prompt, it goes to Open With and i cant get to it. Plus, when i first start up, a lot of windows come up one after the other:

bcmwltry.ewx- Bad Image
userinit.exe- Bad Image
GoogleUpdate.exe-Bad Image
Explorer.EXE- Bad Image
GoogleCrashHandler.exe-Bad Image
LuCallBackProxy.exe- Bad Image

and they all say underneath that: The application or DLL C:\\Windows\System32\app_dll.dll is not a valid Windows image.

and my computer had also said something about RUNDLL.

Here's the information from HijackThis anyway:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:19:08 PM, on 3/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v133\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\msa .exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie8-nickelback.com/start/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie8-nickelback.com/start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Live Nation
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: (no name) - {72636515-4f8d-4d22-a62e-447e740a2e1a} - husedire.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll (file missing)
O2 - BHO: zAdBho.BHOMain - {C63E439B-FC3A-44F9-94A3-1F3927D38005} - C:\WINDOWS\zAdBho.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [samubahohi] Rundll32.exe "yuyugepu.dll",s
O4 - HKLM\..\Run: [NetSoft] iexplore.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOY5KNQ8OC] c:\docume~1\michel~1\locals~1\temp\rbd .exe
O4 - Startup: Talking Owl Gadget.lnk = C:\Program Files\Talking Owl Gadget\Talking Owl Gadget.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster Silver 17\Remind.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm021YYUS
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 3D Viewer) - https://lowes.2020.net/Core/Player/2020PlayerAX_Win32.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} (Photo Upload Plugin Class) - http://www.cvsphoto.com/upload/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} (Photo Upload Plugin Class) - http://www.cvsphoto.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.128,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.128,85.255.112.142
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: app_dll.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9d65c8e7f4cd4) (gupdate1c9d65c8e7f4cd4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v133\WDM\STacSV.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 11048 bytes

Sorry if any of this was unclear, I never remember to keep detailed notes on everything thats happened to the computer... lol I would really appreciate any help because I dont want to have to get a new computer.
Also, i dont know if it matters or not, but my computer USED to be Vista, but was then switched over to XP (i think illegally by the computer guy) because of another virus.

Thanks

Edit: my computer just shut off again and when i turned it back on before it even got to the username screen (where it says welcome) it said services.exe- Bad Image and lsass.exe- Bad Image followed by the others that i mentioned previously

Symantec keeps showing a window in the corner telling me its blocking traffic from an IP address... does that mean something is trying to get in and Symantec is stopping it?

One last thing (lol), when all this first started happening (about 2 days ago) there would be a lot of popups and sometimes you would see a new window open with this weird address and it would suddenly transform into Google. so obviously i closed those. Speaking of Google, another thing that happened, which i saw someone else had posted, was that every time you clicked on a link in Google it would redirect you to all the ad pages or spam or something and not the actual page, and so i would have to look at the Cached version, and even THAT didnt alays work :O

Ok i think thats it, please ask about anything else!

evilfantasy · « **Reply #1 on:** March 03, 2010, 01:19:15 PM »

Welcome to CH.

If you already have Malwarebytes be sure to update it before running the scan!

Download Malwarebytes' Anti-Malware (MBAM)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to the following:

* Update Malwarebytes' Anti-Malware
* Launch Malwarebytes' Anti-Malware

* Then click Finish
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

Now run a new HijackThis scan and post that log along with the Malwarebytes log.

rawrr · « **Reply #2 on:** March 03, 2010, 03:52:49 PM »

ok here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.44
Database version: 3822
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/3/2010 5:34:46 PM
mbam-log-2010-03-03 (17-34-46).txt

Scan type: Quick Scan
Objects scanned: 130817
Time elapsed: 13 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 32
Registry Values Infected: 5
Registry Data Items Infected: 5
Folders Infected: 11
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshnas (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zadbho.bhomain (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zadbho.clswaitabletimer (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zadbho.xtimer (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4d5f12b2-00e8-4a70-9e28-e63240257523} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6a5624b4-e765-48db-b748-3e0bda488b77} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aa7f7620-9a31-4313-a310-3663cfe8d9ef} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bd542b30-5ad8-4d90-921c-d8489866cade} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c63e439b-fc3a-44f9-94a3-1f3927d38005} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c10fccbd-83e8-4ff0-ab29-01afb58c69c0} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0a43e85a-f1fb-48bc-9a0f-31642d4d227c} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{555839d8-79cb-42f0-817e-05341658240d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c63e439b-fc3a-44f9-94a3-1f3927d38005} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c63e439b-fc3a-44f9-94a3-1f3927d38005} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ROUA3O12PW (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\TOY5KNQ8OC (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\membus (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\samubahohi (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netsoft (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toy5knq8oc (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.128,85.255.112.142 -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Michelle Dunaway\Application Data\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle Dunaway\Application Data\FunWebProducts\Data (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle Dunaway\Application Data\FunWebProducts\Data\Michelle Dunaway (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\membus.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle Dunaway\Local Settings\Temp\ctv358270.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle Dunaway\Local Settings\Temp\oxhyanxq.exe (Malware.Packer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle Dunaway\Local Settings\Temp\Rbb.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle Dunaway\Local Settings\Temp\Rbc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle Dunaway\Local Settings\Temp\rbd .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\msa .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\app_dll.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:48:36 PM, on 3/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v133\WDM\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Talking Owl Gadget\Talking Owl Gadget.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie8-nickelback.com/start/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie8-nickelback.com/start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Live Nation
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: (no name) - {72636515-4f8d-4d22-a62e-447e740a2e1a} - husedire.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Talking Owl Gadget.lnk = C:\Program Files\Talking Owl Gadget\Talking Owl Gadget.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster Silver 17\Remind.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 3D Viewer) - https://lowes.2020.net/Core/Player/2020PlayerAX_Win32.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} (Photo Upload Plugin Class) - http://www.cvsphoto.com/upload/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} (Photo Upload Plugin Class) - http://www.cvsphoto.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: app_dll.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9d65c8e7f4cd4) (gupdate1c9d65c8e7f4cd4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v133\WDM\STacSV.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 10455 bytes

It seems to be working fine now, but Symantec keeps telling me its blocking some IP address; does that mean anything?

Thanks for your help!

evilfantasy · « **Reply #3 on:** March 03, 2010, 05:56:31 PM »

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {72636515-4f8d-4d22-a62e-447e740a2e1a} - husedire.dll (file missing)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: app_dll.dll

.
Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Go to Start > Run and type Notepad.exe then click OK.

Copy and paste the following text within the code box into the new Notepad file.

Code: [Select]

@ECHO OFF
sc stop avg8emc
sc delete avg8emc
sc stop avg8wd
sc delete avg8wd
exit

In Notepad select File and Save as
Choose the Save to location to be the Desktop and for the File name: type in fixme.bat making sure that the Save as type field says All files.

Next double click fixservice.bat to run it.
A black box should open and close after a short time, this is normal.
Do not continue until the black box has closed
Delete fixservice.bat from the Desktop.

----------

Now go here to download and run the AVG Antivirus Remover utility. http://www.avg.com/us-en/download-tools

----------

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

----------

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

rawrr · « **Reply #4 on:** March 03, 2010, 08:44:32 PM »

ComboFix 10-03-03.04 - Michelle Dunaway 03/03/2010 22:24:51.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1449 [GMT -5:00]
Running from: c:\documents and settings\Michelle Dunaway\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Adobe\230046.old
c:\program files\Adobe\73090406.old
c:\windows\ad2h264dec.dll
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.0.inf
c:\windows\EventSystem.log
c:\windows\system32\ctfmon .exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\rundll32 .exe
c:\windows\system32\wltray .exe

Infected copy of c:\windows\system32\DRIVERS\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_SSHNAS

((((((((((((((((((((((((( Files Created from 2010-02-04 to 2010-03-04 )))))))))))))))))))))))))))))))
.

2010-03-02 02:37 . 2010-03-02 02:37   --------   d-----w-   c:\documents and settings\Michelle Dunaway\Application Data\Malwarebytes
2010-03-02 02:37 . 2010-01-07 21:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-02 02:37 . 2010-01-07 21:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-03-02 00:26 . 2010-03-02 00:26   --------   d--h--w-   c:\windows\system32\GroupPolicy
2010-02-28 20:29 . 2010-02-28 20:29   --------   d-----w-   c:\documents and settings\Michelle Dunaway\Local Settings\Application Data\Threat Expert
2010-02-28 20:24 . 2010-03-01 00:28   --------   d-----w-   c:\program files\Spyware Doctor
2010-02-28 16:23 . 2010-02-28 16:23   79144   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2010-02-28 15:44 . 2008-04-13 19:40   34688   -c--a-w-   c:\windows\system32\dllcache\lbrtfdc.sys
2010-02-28 15:44 . 2008-04-13 19:40   34688   ----a-w-   c:\windows\system32\drivers\lbrtfdc.sys
2010-02-28 15:44 . 2008-04-13 19:41   8576   -c--a-w-   c:\windows\system32\dllcache\i2omgmt.sys
2010-02-28 15:44 . 2008-04-13 19:41   8576   ----a-w-   c:\windows\system32\drivers\i2omgmt.sys
2010-02-28 15:44 . 2008-04-13 19:40   8192   -c--a-w-   c:\windows\system32\dllcache\changer.sys
2010-02-28 15:44 . 2008-04-13 19:40   8192   ----a-w-   c:\windows\system32\drivers\changer.sys
2010-02-28 02:36 . 2010-02-28 02:46   2110728   ----a-w-   c:\documents and settings\Michelle Dunaway\Application Data\Facebook\Install_Facebook_Plug-In_1.0.3.exe
2010-02-26 06:41 . 2010-02-26 06:41   5582848   ----a-w-   c:\documents and settings\Michelle Dunaway\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-20 20:52 . 2010-02-20 20:52   --------   d-----w-   c:\program files\LyricsSeeker
2010-02-08 00:28 . 2010-02-08 00:28   50354   ----a-w-   c:\documents and settings\Michelle Dunaway\Application Data\Facebook\uninstall.exe
2010-02-08 00:28 . 2010-02-28 02:46   --------   d-----w-   c:\documents and settings\Michelle Dunaway\Application Data\Facebook
2010-02-05 00:44 . 2010-02-05 00:44   --------   d-----w-   c:\program files\iPod
2010-02-05 00:44 . 2010-03-03 00:41   --------   d-----w-   c:\program files\iTunes
2010-02-05 00:37 . 2010-02-05 00:37   72488   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-04 03:35 . 2009-12-21 20:10   --------   d-----w-   c:\program files\Common Files\Akamai
2010-03-04 01:42 . 2009-11-26 18:12   --------   d-----w-   c:\program files\QuickTime
2010-03-03 22:18 . 2010-01-28 23:07   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-03-03 22:05 . 2008-09-19 11:24   --------   d-----w-   c:\documents and settings\All Users\Application Data\Google Updater
2010-03-02 03:13 . 2009-11-10 12:00   79488   ----a-w-   c:\documents and settings\Michelle Dunaway\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-02 00:57 . 2009-03-16 22:20   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2010-02-28 21:01 . 2009-03-16 22:16   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-02-28 16:29 . 2008-09-20 21:17   --------   d-----w-   c:\program files\Safari
2010-02-26 00:04 . 2008-09-28 21:47   --------   d-----w-   c:\documents and settings\Michelle Dunaway\Application Data\gtk-2.0
2010-02-24 11:37 . 2007-02-12 19:36   312344   ----a-w-   c:\windows\system32\drivers\iaStor.sys
2010-02-24 02:44 . 2008-09-19 11:23   --------   d-----w-   c:\program files\Common Files\Adobe
2010-02-05 00:44 . 2008-09-19 21:29   --------   d-----w-   c:\program files\Common Files\Apple
2010-02-04 18:08 . 2008-09-19 11:24   --------   d-----w-   c:\program files\Google
2010-02-01 22:04 . 2010-02-01 22:04   847040   ----a-w-   c:\documents and settings\Michelle Dunaway\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04   5578752   ----a-w-   c:\documents and settings\Michelle Dunaway\Application Data\Facebook\npfbplugin_1_0_1.dll
2010-01-29 01:52 . 2010-01-29 01:52   --------   d-----w-   c:\documents and settings\Michelle Dunaway\Application Data\Office Genuine Advantage
2010-01-28 23:07 . 2010-01-28 23:07   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-28 23:07 . 2010-01-28 23:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-22 21:01 . 2009-03-16 23:33   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-01-12 22:57 . 2008-06-20 04:12   162048   ----a-w-   c:\windows\system32\drivers\WpsHelper.sys
2010-01-07 00:12 . 2009-12-25 19:29   20   ---h--w-   c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2010-01-02 20:19 . 2009-12-25 19:27   20   ---h--w-   c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-12-31 16:50 . 2004-08-04 10:00   353792   ----a-w-   c:\windows\system32\drivers\srv.sys
2009-12-27 22:39 . 2008-09-20 21:41   86760   ---ha-w-   c:\windows\system32\mlfcache.dat
2009-12-25 19:31 . 2009-12-25 19:31   49152   ----a-r-   c:\documents and settings\Michelle Dunaway\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
2009-12-25 19:31 . 2009-12-25 19:31   335872   ----a-r-   c:\documents and settings\Michelle Dunaway\Application Data\Microsoft\Installer\{237CD223-1B9D-47E8-A76C-E478B83CCEA2}\ARPPRODUCTICON.exe
2009-12-25 19:30 . 2009-12-25 19:30   57344   ----a-r-   c:\documents and settings\Michelle Dunaway\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
2009-12-24 22:35 . 2008-09-19 22:47   189992   ----a-w-   c:\documents and settings\Michelle Dunaway\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 19:14 . 2006-03-04 03:33   916480   ----a-w-   c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2008-09-17 03:42   343040   ----a-w-   c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 10:00   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2005-03-30 01:21   2145280   ----a-w-   c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2005-03-30 01:01   2023936   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-04 10:00   455424   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2008-09-17 12:41 . 2008-09-17 12:41   76   --sh--r-   c:\windows\CT4CET.bin
.

Code: [Select]

<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Adobe\CS4ServiceManager\cs4servicemanager .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\applesyncnotifier .exe
c:\program files\Common Files\Nikon\Monitor\nkmonitor .exe
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\QuickTime\qttask           .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\SigmaTel\C-Major Audio\WDM\stsystra .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeBridge"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]

c:\documents and settings\Michelle Dunaway\Start Menu\Programs\Startup\
Talking Owl Gadget.lnk - c:\program files\Talking Owl Gadget\Talking Owl Gadget.exe [2010-1-2 95232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\program files\PrintMaster Silver 17\Remind.exe [2006-2-22 344064]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
c:\progra~1\AVG\AVG8\avgtray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\QuickTime\qttask.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"enablefirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"1033:TCP"= 1033:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 5:00 AM 14336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/19/2008 4:30 PM 24652]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/30/2009 8:54 PM 102448]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [9/17/2008 7:47 AM 105984]
S2 gupdate1c9d65c8e7f4cd4;Google Update Service (gupdate1c9d65c8e7f4cd4);c:\program files\Google\Update\GoogleUpdate.exe [5/16/2009 2:28 PM 133104]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\a5agu.sys [9/16/2008 11:03 PM 347648]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\coh_mon.sys [1/12/2008 5:32 PM 23888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-03-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-19 23:44]

2010-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-16 19:28]

2010-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-16 19:28]

2010-03-04 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie8-nickelback.com/start/
uInternet Settings,ProxyOverride = *.local
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxps://lowes.2020.net/Core/Player/2020PlayerAX_Win32.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
.
- - - - ORPHANS REMOVED - - - -

Notify-avgrsstarter - avgrsstx.dll
SafeBoot-Symantec Antvirus

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 22:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1340)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3484)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\SigmaTel\C-Major Audio\DellXPM_5515v133\WDM\STacSV.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
.
**************************************************************************
.
Completion time: 2010-03-03 22:42:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-04 03:42

Pre-Run: 106,908,049,408 bytes free
Post-Run: 107,110,699,008 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 6D9730B51C40200121A613FE4F25A324

evilfantasy · « **Reply #5 on:** March 04, 2010, 09:56:28 AM »

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Driver::
Viewpoint Manager Service

Folder::
c:\program files\Viewpoint

SecCenter::
{17DDD097-36FF-435F-9E1B-52D74245D6BF}

RenV::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Adobe\CS4ServiceManager\cs4servicemanager .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\applesyncnotifier .exe
c:\program files\Common Files\Nikon\Monitor\nkmonitor .exe
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\QuickTime\qttask           .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\SigmaTel\C-Major Audio\WDM\stsystra .exe

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

rawrr · « **Reply #6 on:** March 04, 2010, 03:29:21 PM »

ComboFix 10-03-04.02 - Michelle Dunaway 03/04/2010 17:15:03.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1312 [GMT -5:00]
Running from: c:\documents and settings\Michelle Dunaway\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michelle Dunaway\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Viewpoint
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\Viewpoint\Common\VistaBoot.sdll
c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream_0306003B.dll
c:\program files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
c:\program files\Viewpoint\Viewpoint Media Player\ComponentMgr_0306003B.dll
c:\program files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
c:\program files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\MTS3Reader.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VETScriptInterpreter.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPSpeech.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
c:\program files\Viewpoint\Viewpoint Media Player\DownLoadHist.ini
c:\program files\Viewpoint\Viewpoint Media Player\HostRegistry.ini
c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
c:\program files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
c:\program files\Viewpoint\Viewpoint Media Player\MTSDownloadSites.txt
c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.xpt
c:\program files\Viewpoint\Viewpoint_log.dmp
c:\program files\Viewpoint\Viewpoint_log.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_Viewpoint Manager Service

((((((((((((((((((((((((( Files Created from 2010-02-04 to 2010-03-04 )))))))))))))))))))))))))))))))
.

2010-03-02 02:37 . 2010-03-02 02:37   --------   d-----w-   c:\documents and settings\Michelle Dunaway\Application Data\Malwarebytes
2010-03-02 02:37 . 2010-01-07 21:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-02 02:37 . 2010-01-07 21:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-03-02 00:26 . 2010-03-02 00:26   --------   d--h--w-   c:\windows\system32\GroupPolicy
2010-02-28 20:29 . 2010-02-28 20:29   --------   d-----w-   c:\documents and settings\Michelle Dunaway\Local Settings\Application Data\Threat Expert
2010-02-28 20:24 . 2010-03-01 00:28   --------   d-----w-   c:\program files\Spyware Doctor
2010-02-28 15:44 . 2008-04-13 19:40   34688   -c--a-w-   c:\windows\system32\dllcache\lbrtfdc.sys
2010-02-28 15:44 . 2008-04-13 19:40   34688   ----a-w-   c:\windows\system32\drivers\lbrtfdc.sys
2010-02-28 15:44 . 2008-04-13 19:41   8576   -c--a-w-   c:\windows\system32\dllcache\i2omgmt.sys
2010-02-28 15:44 . 2008-04-13 19:41   8576   ----a-w-   c:\windows\system32\drivers\i2omgmt.sys
2010-02-28 15:44 . 2008-04-13 19:40   8192   -c--a-w-   c:\windows\system32\dllcache\changer.sys
2010-02-28 15:44 . 2008-04-13 19:40   8192   ----a-w-   c:\windows\system32\drivers\changer.sys
2010-02-20 20:52 . 2010-02-20 20:52   --------   d-----w-   c:\program files\LyricsSeeker
2010-02-08 00:28 . 2010-02-28 02:46   --------   d-----w-   c:\documents and settings\Michelle Dunaway\Application Data\Facebook
2010-02-05 00:44 . 2010-02-05 00:44   --------   d-----w-   c:\program files\iPod
2010-02-05 00:44 . 2010-03-04 22:15   --------   d-----w-   c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-04 22:21 . 2009-12-21 20:10   --------   d-----w-   c:\program files\Common Files\Akamai
2010-03-04 22:15 . 2009-11-26 18:12   --------   d-----w-   c:\program files\QuickTime
2010-03-04 22:15 . 2010-01-28 23:07   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-03-03 22:05 . 2008-09-19 11:24   --------   d-----w-   c:\documents and settings\All Users\Application Data\Google Updater
2010-03-02 03:13 . 2009-11-10 12:00   79488   ----a-w-   c:\documents and settings\Michelle Dunaway\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-02 00:57 . 2009-03-16 22:20   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2010-02-28 21:01 . 2009-03-16 22:16   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-02-28 16:29 . 2008-09-20 21:17   --------   d-----w-   c:\program files\Safari
2010-02-28 16:23 . 2010-02-28 16:23   79144   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2010-02-28 02:46 . 2010-02-28 02:36   2110728   ----a-w-   c:\documents and settings\Michelle Dunaway\Application Data\Facebook\Install_Facebook_Plug-In_1.0.3.exe
2010-02-26 06:41 . 2010-02-26 06:41   5582848   ----a-w-   c:\documents and settings\Michelle Dunaway\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-26 00:04 . 2008-09-28 21:47   --------   d-----w-   c:\documents and settings\Michelle Dunaway\Application Data\gtk-2.0
2010-02-24 11:37 . 2007-02-12 19:36   312344   ----a-w-   c:\windows\system32\drivers\iaStor.sys
2010-02-24 02:44 . 2008-09-19 11:23   --------   d-----w-   c:\program files\Common Files\Adobe
2010-02-08 00:28 . 2010-02-08 00:28   50354   ----a-w-   c:\documents and settings\Michelle Dunaway\Application Data\Facebook\uninstall.exe
2010-02-05 00:44 . 2008-09-19 21:29   --------   d-----w-   c:\program files\Common Files\Apple
2010-02-05 00:37 . 2010-02-05 00:37   72488   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-04 18:08 . 2008-09-19 11:24   --------   d-----w-   c:\program files\Google
2010-02-01 22:04 . 2010-02-01 22:04   847040   ----a-w-   c:\documents and settings\Michelle Dunaway\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04   5578752   ----a-w-   c:\documents and settings\Michelle Dunaway\Application Data\Facebook\npfbplugin_1_0_1.dll
2010-01-29 01:52 . 2010-01-29 01:52   --------   d-----w-   c:\documents and settings\Michelle Dunaway\Application Data\Office Genuine Advantage
2010-01-28 23:07 . 2010-01-28 23:07   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-28 23:07 . 2010-01-28 23:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-22 21:01 . 2009-03-16 23:33   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-01-12 22:57 . 2008-06-20 04:12   162048   ----a-w-   c:\windows\system32\drivers\WpsHelper.sys
2010-01-07 00:12 . 2009-12-25 19:29   20   ---h--w-   c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2010-01-02 20:19 . 2009-12-25 19:27   20   ---h--w-   c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-12-31 16:50 . 2004-08-04 10:00   353792   ----a-w-   c:\windows\system32\drivers\srv.sys
2009-12-27 22:39 . 2008-09-20 21:41   86760   ---ha-w-   c:\windows\system32\mlfcache.dat
2009-12-25 19:31 . 2009-12-25 19:31   49152   ----a-r-   c:\documents and settings\Michelle Dunaway\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
2009-12-25 19:31 . 2009-12-25 19:31   335872   ----a-r-   c:\documents and settings\Michelle Dunaway\Application Data\Microsoft\Installer\{237CD223-1B9D-47E8-A76C-E478B83CCEA2}\ARPPRODUCTICON.exe
2009-12-25 19:30 . 2009-12-25 19:30   57344   ----a-r-   c:\documents and settings\Michelle Dunaway\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
2009-12-24 22:35 . 2008-09-19 22:47   189992   ----a-w-   c:\documents and settings\Michelle Dunaway\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 19:14 . 2006-03-04 03:33   916480   ------w-   c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2008-09-17 03:42   343040   ----a-w-   c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 10:00   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2005-03-30 01:21   2145280   ------w-   c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2005-03-30 01:01   2023936   ------w-   c:\windows\system32\ntkrnlpa.exe
2008-09-17 12:41 . 2008-09-17 12:41   76   --sh--r-   c:\windows\CT4CET.bin
.

Code: [Select]

<pre>
c:\program files\Common Files\Symantec Shared\ccapp .exe
</pre>

((((((((((((((((((((((((((((( SnapShot@2010-03-04_03.36.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-04 22:21 . 2010-03-04 22:21   16384 c:\windows\Temp\Perflib_Perfdata_334.dat
+ 2010-03-04 22:21 . 2010-03-04 22:21   16384 c:\windows\Temp\Perflib_Perfdata_330.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeBridge"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]

c:\documents and settings\Michelle Dunaway\Start Menu\Programs\Startup\
Talking Owl Gadget.lnk - c:\program files\Talking Owl Gadget\Talking Owl Gadget.exe [2010-1-2 95232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\program files\PrintMaster Silver 17\Remind.exe [2006-2-22 344064]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
c:\progra~1\AVG\AVG8\avgtray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-02-28 18:10   55808   ----a-w-   c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"enablefirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"1033:TCP"= 1033:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 5:00 AM 14336]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/30/2009 8:54 PM 102448]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [9/17/2008 7:47 AM 105984]
S2 gupdate1c9d65c8e7f4cd4;Google Update Service (gupdate1c9d65c8e7f4cd4);c:\program files\Google\Update\GoogleUpdate.exe [5/16/2009 2:28 PM 133104]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\a5agu.sys [9/16/2008 11:03 PM 347648]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\coh_mon.sys [1/12/2008 5:32 PM 23888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai   REG_MULTI_SZ     Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-03-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-19 23:44]

2010-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-16 19:28]

2010-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-16 19:28]

2010-03-04 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie8-nickelback.com/start/
uInternet Settings,ProxyOverride = *.local
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxps://lowes.2020.net/Core/Player/2020PlayerAX_Win32.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-04 17:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1344)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3604)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\SigmaTel\C-Major Audio\DellXPM_5515v133\WDM\STacSV.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
.
**************************************************************************
.
Completion time: 2010-03-04 17:27:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-04 22:27
ComboFix2.txt 2010-03-04 03:42

Pre-Run: 107,085,824,000 bytes free
Post-Run: 107,058,651,136 bytes free

- - End Of File - - 8428627679F475ACDC94A9D0B0C5C8E3

evilfantasy · « **Reply #7 on:** March 04, 2010, 05:40:50 PM »

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Folder::
c:\Program Files\AVG

RenV::
c:\program files\Common Files\Symantec Shared\ccapp .exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeBridge"=-

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

rawrr · « **Reply #8 on:** March 04, 2010, 06:01:54 PM »

ComboFix 10-03-04.02 - Michelle Dunaway 03/04/2010 19:46:59.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1373 [GMT -5:00]
Running from: c:\documents and settings\Michelle Dunaway\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michelle Dunaway\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AVG
c:\program files\AVG\AVG8\avg.snu
c:\program files\AVG\AVG8\avgatend.stp
c:\program files\AVG\AVG8\avgatupd.stp
c:\program files\AVG\AVG8\avgchk.exe
c:\program files\AVG\AVG8\avgchk.exe0
c:\program files\AVG\AVG8\avginet.dll
c:\program files\AVG\AVG8\avgiproxy.exe
c:\program files\AVG\AVG8\avgmwdef_us.mht
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgupd.dll
c:\program files\AVG\AVG8\avgupd.exe
c:\program files\AVG\AVG8\cf.dat
c:\program files\AVG\AVG8\commonpriv.log
c:\program files\AVG\AVG8\commonpriv.log.lock
c:\program files\AVG\AVG8\dbghelp.dll
c:\program files\AVG\AVG8\fixfp.exe
c:\program files\AVG\AVG8\Icons\background_middle_gray.gif
c:\program files\AVG\AVG8\Icons\background_middle_green.gif
c:\program files\AVG\AVG8\Icons\background_middle_orange.gif
c:\program files\AVG\AVG8\Icons\background_middle_red.gif
c:\program files\AVG\AVG8\Icons\background_middle_yellow.gif
c:\program files\AVG\AVG8\Icons\background_top_gray.gif
c:\program files\AVG\AVG8\Icons\background_top_green.gif
c:\program files\AVG\AVG8\Icons\background_top_orange.gif
c:\program files\AVG\AVG8\Icons\background_top_red.gif
c:\program files\AVG\AVG8\Icons\background_top_yellow.gif
c:\program files\AVG\AVG8\Icons\block-doc.gif
c:\program files\AVG\AVG8\Icons\blocked.gif
c:\program files\AVG\AVG8\Icons\border_bottom_gray.gif
c:\program files\AVG\AVG8\Icons\border_bottom_green.gif
c:\program files\AVG\AVG8\Icons\border_bottom_orange.gif
c:\program files\AVG\AVG8\Icons\border_bottom_red.gif
c:\program files\AVG\AVG8\Icons\border_bottom_yellow.gif
c:\program files\AVG\AVG8\Icons\border_top_gray.gif
c:\program files\AVG\AVG8\Icons\border_top_green.gif
c:\program files\AVG\AVG8\Icons\border_top_orange.gif
c:\program files\AVG\AVG8\Icons\border_top_red.gif
c:\program files\AVG\AVG8\Icons\border_top_yellow.gif
c:\program files\AVG\AVG8\Icons\box_bottom_red.gif
c:\program files\AVG\AVG8\Icons\box_top_red.gif
c:\program files\AVG\AVG8\Icons\caution.gif
c:\program files\AVG\AVG8\Icons\click_here_gray.gif
c:\program files\AVG\AVG8\Icons\click_here_green.gif
c:\program files\AVG\AVG8\Icons\click_here_orange.gif
c:\program files\AVG\AVG8\Icons\click_here_red.gif
c:\program files\AVG\AVG8\Icons\click_here_yellow.gif
c:\program files\AVG\AVG8\Icons\clock.gif
c:\program files\AVG\AVG8\Icons\close.gif
c:\program files\AVG\AVG8\Icons\icons_blocked.gif
c:\program files\AVG\AVG8\Icons\icons_caution.gif
c:\program files\AVG\AVG8\Icons\icons_close.gif
c:\program files\AVG\AVG8\Icons\icons_safe.gif
c:\program files\AVG\AVG8\Icons\icons_unknown.gif
c:\program files\AVG\AVG8\Icons\icons_warning.gif
c:\program files\AVG\AVG8\Icons\LS_Logo_Results.gif
c:\program files\AVG\AVG8\Icons\safe.gif
c:\program files\AVG\AVG8\Icons\unknown.gif
c:\program files\AVG\AVG8\Icons\warning.gif
c:\program files\AVG\AVG8\license_us.txt
c:\program files\AVG\AVG8\Notification\cmp2008_App_Free_8_fr.html
c:\program files\AVG\AVG8\Notification\cmp2008_App_Free_8_it.html
c:\program files\AVG\AVG8\Notification\cmp2008_App_Free_8_nl.html
c:\program files\AVG\AVG8\Notification\cmp2008_App_Free_8_pt.html
c:\program files\AVG\AVG8\Notification\cmp2008_App_Free_8_sp.html
c:\program files\AVG\AVG8\Notification\cmp2008_App_Free_8_us.html
c:\program files\AVG\AVG8\Notification\cmp2008_App_Paid_8_fr.html
c:\program files\AVG\AVG8\Notification\cmp2008_App_Paid_8_it.html
c:\program files\AVG\AVG8\Notification\cmp2008_App_Paid_8_nl.html
c:\program files\AVG\AVG8\Notification\cmp2008_App_Paid_8_pt.html
c:\program files\AVG\AVG8\Notification\cmp2008_App_Paid_8_sp.html
c:\program files\AVG\AVG8\Notification\cmp2008_App_Paid_8_us.html
c:\program files\AVG\AVG8\Notification\icon_bulb.gif
c:\program files\AVG\AVG8\Notification\logo_avg8.gif
c:\program files\AVG\AVG8\Notification\style.css
c:\program files\AVG\AVG8\ph.dat
c:\program files\AVG\AVG8\sb.dat
c:\program files\AVG\AVG8\sb.dat.xcd
c:\program files\AVG\AVG8\sb2.dat
c:\program files\AVG\AVG8\sc.dat
c:\program files\AVG\AVG8\sc.dat.xcd
c:\program files\AVG\AVG8\updatecomps.cfg

.
((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
.

2010-03-02 02:37 . 2010-03-02 02:37   --------   d-----w-   c:\documents and settings\Michelle Dunaway\Application Data\Malwarebytes
2010-03-02 02:37 . 2010-01-07 21:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-02 02:37 . 2010-01-07 21:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-03-02 00:26 . 2010-03-02 00:26   --------   d--h--w-   c:\windows\system32\GroupPolicy
2010-02-28 20:29 . 2010-02-28 20:29   --------   d-----w-   c:\documents and settings\Michelle Dunaway\Local Settings\Application Data\Threat Expert
2010-02-28 20:24 . 2010-03-01 00:28   --------   d-----w-   c:\program files\Spyware Doctor
2010-02-28 16:23 . 2010-02-28 16:23   79144   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2010-02-28 15:44 . 2008-04-13 19:40   34688   -c--a-w-   c:\windows\system32\dllcache\lbrtfdc.sys
2010-02-28 15:44 . 2008-04-13 19:40   34688   ----a-w-   c:\windows\system32\drivers\lbrtfdc.sys
2010-02-28 15:44 . 2008-04-13 19:41   8576   -c--a-w-   c:\windows\system32\dllcache\i2omgmt.sys
2010-02-28 15:44 . 2008-04-13 19:41   8576   ----a-w-   c:\windows\system32\drivers\i2omgmt.sys
2010-02-28 15:44 . 2008-04-13 19:40   8192   -c--a-w-   c:\windows\system32\dllcache\changer.sys
2010-02-28 15:44 . 2008-04-13 19:40   8192   ----a-w-   c:\windows\system32\drivers\changer.sys
2010-02-28 02:36 . 2010-02-28 02:46   2110728   ----a-w-   c:\documents and settings\Michelle Dunaway\Application Data\Facebook\Install_Facebook_Plug-In_1.0.3.exe
2010-02-26 06:41 . 2010-02-26 06:41   5582848   ----a-w-   c:\documents and settings\Michelle Dunaway\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-20 20:52 . 2010-02-20 20:52   --------   d-----w-   c:\program files\LyricsSeeker
2010-02-08 00:28 . 2010-02-08 00:28   50354   ----a-w-   c:\documents and settings\Michelle Dunaway\Application Data\Facebook\uninstall.exe
2010-02-08 00:28 . 2010-02-28 02:46   --------   d-----w-   c:\documents and settings\Michelle Dunaway\Application Data\Facebook
2010-02-05 00:44 . 2010-02-05 00:44   --------   d-----w-   c:\program files\iPod
2010-02-05 00:44 . 2010-03-04 22:15   --------   d-----w-   c:\program files\iTunes
2010-02-05 00:37 . 2010-02-05 00:37   72488   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 00:53 . 2009-12-21 20:10   --------   d-----w-   c:\program files\Common Files\Akamai
2010-03-04 23:06 . 2008-09-19 11:24   --------   d-----w-   c:\documents and settings\All Users\Application Data\Google Updater
2010-03-04 22:15 . 2009-11-26 18:12   --------   d-----w-   c:\program files\QuickTime
2010-03-04 22:15 . 2010-01-28 23:07   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-03-02 03:13 . 2009-11-10 12:00   79488   ----a-w-   c:\documents and settings\Michelle Dunaway\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-02 00:57 . 2009-03-16 22:20   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2010-02-28 21:01 . 2009-03-16 22:16   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-02-28 16:29 . 2008-09-20 21:17   --------   d-----w-   c:\program files\Safari
2010-02-26 00:04 . 2008-09-28 21:47   --------   d-----w-   c:\documents and settings\Michelle Dunaway\Application Data\gtk-2.0
2010-02-24 11:37 . 2007-02-12 19:36   312344   ----a-w-   c:\windows\system32\drivers\iaStor.sys
2010-02-24 02:44 . 2008-09-19 11:23   --------   d-----w-   c:\program files\Common Files\Adobe
2010-02-05 00:44 . 2008-09-19 21:29   --------   d-----w-   c:\program files\Common Files\Apple
2010-02-04 18:08 . 2008-09-19 11:24   --------   d-----w-   c:\program files\Google
2010-02-01 22:04 . 2010-02-01 22:04   847040   ----a-w-   c:\documents and settings\Michelle Dunaway\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04   5578752   ----a-w-   c:\documents and settings\Michelle Dunaway\Application Data\Facebook\npfbplugin_1_0_1.dll
2010-01-29 01:52 . 2010-01-29 01:52   --------   d-----w-   c:\documents and settings\Michelle Dunaway\Application Data\Office Genuine Advantage
2010-01-28 23:07 . 2010-01-28 23:07   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-28 23:07 . 2010-01-28 23:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-22 21:01 . 2009-03-16 23:33   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-01-12 22:57 . 2008-06-20 04:12   162048   ----a-w-   c:\windows\system32\drivers\WpsHelper.sys
2010-01-07 00:12 . 2009-12-25 19:29   20   ---h--w-   c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2010-01-02 20:19 . 2009-12-25 19:27   20   ---h--w-   c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-12-31 16:50 . 2004-08-04 10:00   353792   ----a-w-   c:\windows\system32\drivers\srv.sys
2009-12-27 22:39 . 2008-09-20 21:41   86760   ---ha-w-   c:\windows\system32\mlfcache.dat
2009-12-25 19:31 . 2009-12-25 19:31   49152   ----a-r-   c:\documents and settings\Michelle Dunaway\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
2009-12-25 19:31 . 2009-12-25 19:31   335872   ----a-r-   c:\documents and settings\Michelle Dunaway\Application Data\Microsoft\Installer\{237CD223-1B9D-47E8-A76C-E478B83CCEA2}\ARPPRODUCTICON.exe
2009-12-25 19:30 . 2009-12-25 19:30   57344   ----a-r-   c:\documents and settings\Michelle Dunaway\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
2009-12-24 22:35 . 2008-09-19 22:47   189992   ----a-w-   c:\documents and settings\Michelle Dunaway\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 19:14 . 2006-03-04 03:33   916480   ------w-   c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2008-09-17 03:42   343040   ----a-w-   c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 10:00   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2005-03-30 01:21   2145280   ------w-   c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2005-03-30 01:01   2023936   ------w-   c:\windows\system32\ntkrnlpa.exe
2008-09-17 12:41 . 2008-09-17 12:41   76   --sh--r-   c:\windows\CT4CET.bin
.

Code: [Select]

<pre>
c:\program files\Common Files\Symantec Shared\ccapp .exe
</pre>

((((((((((((((((((((((((((((( SnapShot@2010-03-04_03.36.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-05 00:53 . 2010-03-05 00:53   16384 c:\windows\Temp\Perflib_Perfdata_3e4.dat
+ 2010-03-05 00:53 . 2010-03-05 00:53   16384 c:\windows\Temp\Perflib_Perfdata_36c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]

c:\documents and settings\Michelle Dunaway\Start Menu\Programs\Startup\
Talking Owl Gadget.lnk - c:\program files\Talking Owl Gadget\Talking Owl Gadget.exe [2010-1-2 95232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\program files\PrintMaster Silver 17\Remind.exe [2006-2-22 344064]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
c:\progra~1\AVG\AVG8\avgtray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-02-28 18:10   55808   ----a-w-   c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"enablefirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"1033:TCP"= 1033:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 5:00 AM 14336]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/30/2009 8:54 PM 102448]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [9/17/2008 7:47 AM 105984]
S2 gupdate1c9d65c8e7f4cd4;Google Update Service (gupdate1c9d65c8e7f4cd4);c:\program files\Google\Update\GoogleUpdate.exe [5/16/2009 2:28 PM 133104]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\a5agu.sys [9/16/2008 11:03 PM 347648]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\coh_mon.sys [1/12/2008 5:32 PM 23888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai   REG_MULTI_SZ     Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-03-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-19 23:44]

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-16 19:28]

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-16 19:28]

2010-03-05 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie8-nickelback.com/start/
uInternet Settings,ProxyOverride = *.local
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxps://lowes.2020.net/Core/Player/2020PlayerAX_Win32.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-04 19:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1344)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3360)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\SigmaTel\C-Major Audio\DellXPM_5515v133\WDM\STacSV.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
.
**************************************************************************
.
Completion time: 2010-03-04 19:59:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-05 00:59
ComboFix2.txt 2010-03-04 22:27
ComboFix3.txt 2010-03-04 03:42

Pre-Run: 106,909,802,496 bytes free
Post-Run: 107,017,216,000 bytes free

- - End Of File - - 5DBAAE0650E9E1A509CB87FB2904ED78

evilfantasy · « **Reply #9 on:** March 04, 2010, 06:05:08 PM »

That file isn't wanting to be removed.

Download OTM by OldTimer to your desktop.

Note: If you are using Vista or Windows 7, right-click on OTM.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services

:reg

:files
c:\program files\Common Files\Symantec Shared\ccapp .exe

:Commands
[purity]
[emptytemp]
[start explorer]

* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

* Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.

How is the computer running now?

rawrr · « **Reply #10 on:** March 04, 2010, 06:38:17 PM »

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
c:\program files\Common Files\Symantec Shared\ccapp .exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Michelle Dunaway
->Temp folder emptied: 234539 bytes
->Temporary Internet Files folder emptied: 21530592 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 1267570 bytes
->Flash cache emptied: 2865 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 1717 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 32768 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 22.00 mb

OTM by OldTimer - Version 3.1.10.0 log created on 03042010_202933

Files moved on Reboot...
File C:\Documents and Settings\Michelle Dunaway\Local Settings\Temp\~DFBFC9.tmp not found!
File C:\Documents and Settings\Michelle Dunaway\Local Settings\Temp\~DFBFD6.tmp not found!
File C:\Documents and Settings\Michelle Dunaway\Local Settings\Temp\~DFC063.tmp not found!
File C:\Documents and Settings\Michelle Dunaway\Local Settings\Temp\~DFC070.tmp not found!
File C:\Documents and Settings\Michelle Dunaway\Local Settings\Temp\~DFC151.tmp not found!
File C:\Documents and Settings\Michelle Dunaway\Local Settings\Temp\~DFC15E.tmp not found!
File C:\Documents and Settings\Michelle Dunaway\Local Settings\Temp\~DFC198.tmp not found!
File C:\Documents and Settings\Michelle Dunaway\Local Settings\Temp\~DFC1A5.tmp not found!
File C:\Documents and Settings\Michelle Dunaway\Local Settings\Temp\~DFC1DF.tmp not found!
File C:\Documents and Settings\Michelle Dunaway\Local Settings\Temp\~DFC1EC.tmp not found!
File C:\Documents and Settings\Michelle Dunaway\Local Settings\Temp\~DFC226.tmp not found!
File C:\Documents and Settings\Michelle Dunaway\Local Settings\Temp\~DFC233.tmp not found!
C:\Documents and Settings\Michelle Dunaway\Local Settings\Temporary Internet Files\Content.IE5\YSYX4AVO\connect[1].htm moved successfully.
C:\Documents and Settings\Michelle Dunaway\Local Settings\Temporary Internet Files\Content.IE5\YSYX4AVO\iframe3[1].htm moved successfully.
C:\Documents and Settings\Michelle Dunaway\Local Settings\Temporary Internet Files\Content.IE5\YSYX4AVO\st[1] moved successfully.
C:\Documents and Settings\Michelle Dunaway\Local Settings\Temporary Internet Files\Content.IE5\K6UENPQ2\10[2].htm moved successfully.
C:\Documents and Settings\Michelle Dunaway\Local Settings\Temporary Internet Files\Content.IE5\K6UENPQ2\468x60x728x90b[1].html moved successfully.
C:\Documents and Settings\Michelle Dunaway\Local Settings\Temporary Internet Files\Content.IE5\K6UENPQ2\Chapter_21_Northern_Eurasia_1_0[1].htm moved successfully.
C:\Documents and Settings\Michelle Dunaway\Local Settings\Temporary Internet Files\Content.IE5\K6UENPQ2\home[1].htm moved successfully.
C:\Documents and Settings\Michelle Dunaway\Local Settings\Temporary Internet Files\Content.IE5\K6UENPQ2\signin[1].htm moved successfully.
C:\Documents and Settings\Michelle Dunaway\Local Settings\Temporary Internet Files\Content.IE5\HV3LFTZ7\adservercontinuation[1].htm moved successfully.
C:\Documents and Settings\Michelle Dunaway\Local Settings\Temporary Internet Files\Content.IE5\HV3LFTZ7\redirectiframe[1].html moved successfully.
C:\Documents and Settings\Michelle Dunaway\Local Settings\Temporary Internet Files\Content.IE5\HV3LFTZ7\topicseen[1].html moved successfully.
C:\Documents and Settings\Michelle Dunaway\Local Settings\Temporary Internet Files\Content.IE5\HKDJ2IXM\06615[1].htm moved successfully.
C:\Documents and Settings\Michelle Dunaway\Local Settings\Temporary Internet Files\Content.IE5\HKDJ2IXM\history_manager[1].htm moved successfully.
C:\Documents and Settings\Michelle Dunaway\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_36c.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_43c.dat not found!

Registry entries deleted on Reboot...

Its been running great! It's actually better than before because I used to have to right click and press start or go into Program Files and find the .exe to make anything run, and that was because Malwarebytes did something last time I had the fake Internet Security. Thank you so much!

evilfantasy · « **Reply #11 on:** March 05, 2010, 11:36:19 AM »

If there are no more malware issues we can finish up now.

* Click START then RUN
* Now type Combofix /Uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter.

The above procedure will:
* Delete: ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

1. Double click OTM to launch it.
Vista and Windows 7 users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTM will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. When finished exit out of OTM.

----------

Use the Secunia Software Inspector to check for out of date software.

* Click Start Scanner
* Check the box next to Enable thorough system inspection.
* Click Start
* Allow the scan to finish and scroll down to see if any updates are needed.
* Update anything listed.

----------

Go to Microsoft Windows Update and get all critical updates.

----------

If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page.

----------

I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy.
* Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

rawrr · « **Reply #12 on:** March 05, 2010, 05:48:24 PM »

Thank you very very much!

rawrr · « **Reply #13 on:** March 08, 2010, 06:17:09 PM »

uh oh... i just got "ActiveMovie Window: aim6.exe -Unable To Locate Component
This application has failed to start because ad2h264dec.dll was not found. Re-installing the application may fix this problem."

Does this mean that re-installing it would really fix it or is that a sign of another problem? $:-\$

evilfantasy · « **Reply #14 on:** March 08, 2010, 06:40:51 PM »

That's an Adobe file. Not sure if it's audio or video related though. Probably a codec.

See if you have the Adobe Premiere Elements folder on your computer.

C:\ProgramFiles\Adobe\Adobe Premiere Elements 4.0

Computer Hope Forum

News:

Author Topic: Don't Know What to Do Anymore... >:C (Read 20730 times)

rawrr

Don't Know What to Do Anymore... >:C

evilfantasy

Re: Don't Know What to Do Anymore... >:C

rawrr

Re: Don't Know What to Do Anymore... >:C

evilfantasy

Re: Don't Know What to Do Anymore... >:C

rawrr

Re: Don't Know What to Do Anymore... >:C

evilfantasy

Re: Don't Know What to Do Anymore... >:C

rawrr

Re: Don't Know What to Do Anymore... >:C

evilfantasy

Re: Don't Know What to Do Anymore... >:C

rawrr

Re: Don't Know What to Do Anymore... >:C

evilfantasy

Re: Don't Know What to Do Anymore... >:C

rawrr

Re: Don't Know What to Do Anymore... >:C

evilfantasy

Re: Don't Know What to Do Anymore... >:C

rawrr

Re: Don't Know What to Do Anymore... >:C

rawrr

Re: Don't Know What to Do Anymore... >:C

evilfantasy

Re: Don't Know What to Do Anymore... >:C