Tech Support Forum - View Single Post - [SOLVED] Possible Trojan Vondu virus and slow performance.

Hokie76 · 12-04-2008, 05:48 PM

Malwarebytes' Anti-Malware 1.31
Database version: 1460
Windows 5.1.2600 Service Pack 2

12/4/2008 6:08:06 PM
mbam-log-2008-12-04 (18-08-06).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 185867
Time elapsed: 59 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 108

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ws.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cc51dbba-12d7-4365-b728-98c2e5db1811} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cc51dbba-12d7-4365-b728-98c2e5db1811} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ws.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115174.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115192.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115245.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115263.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115169.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115172.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115178.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115180.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115184.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115186.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115189.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115194.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115198.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115201.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115204.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115207.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115213.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115216.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115219.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115222.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115225.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115228.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115231.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115234.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115237.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115240.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115243.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115248.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115252.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115254.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115257.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115259.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115262.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115811.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115812.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115813.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115832.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116517.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116518.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116519.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116520.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116521.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116579.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116580.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116581.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116603.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116604.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116606.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116608.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116609.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116610.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116612.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116613.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116617.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116618.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116620.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116621.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116622.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116605.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116641.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116659.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116677.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116625.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116626.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116627.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116628.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116632.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116633.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116635.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116636.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116638.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116639.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116640.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116642.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116643.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116645.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116646.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116647.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116648.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116649.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116650.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116651.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116652.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116653.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116655.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116656.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116658.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116662.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116663.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116664.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116665.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116666.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116668.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116669.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116670.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116672.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116676.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116679.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116681.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116682.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116683.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116685.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116686.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116687.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0117513.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1442\A0118617.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1442\A0118619.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

ComboFix

ComboFix 08-12-04.04 - Ben 2008-12-04 19:37:42.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.478 [GMT -5:00]
Running from: c:\documents and settings\Ben.D9K3CT91.003\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ben.D9K3CT91.003\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-04 19:08 . 2008-12-04 19:08 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-12-04 19:00 . 2008-12-04 19:02 <DIR> d-------- c:\program files\Foxit Software
2008-12-04 19:00 . 2008-12-04 19:00 <DIR> d-------- c:\program files\AskBarDis
2008-12-04 19:00 . 2008-12-04 19:00 <DIR> d-------- c:\documents and settings\Ben.D9K3CT91.003\Application Data\Foxit
2008-12-04 18:58 . 2008-12-04 18:58 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-04 18:58 . 2008-12-04 18:58 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-04 18:30 . 2008-12-04 18:44 198,740 --a------ c:\windows\system32\ws.dll
2008-12-04 17:15 . 2008-12-04 19:35 <DIR> d-------- c:\program files\MSN Messenger
2008-12-03 21:28 . 2008-12-03 21:28 <DIR> d-------- c:\program files\Enigma Software Group
2008-12-03 20:42 . 2008-12-03 20:42 <DIR> d-------- c:\documents and settings\Ben.D9K3CT91.003\Application Data\Malwarebytes
2008-12-03 20:41 . 2008-12-04 17:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-03 20:41 . 2008-12-03 20:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-03 20:41 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 20:41 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-03 19:26 . 2008-12-03 19:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-03 19:26 . 2008-12-03 20:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-03 18:29 . 2008-12-03 18:49 250 --a------ c:\windows\gmer.ini
2008-12-03 18:07 . 2008-12-03 18:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\830483350
2008-12-03 17:30 . 2008-12-03 17:31 <DIR> d-------- c:\windows\ERUNT
2008-12-03 17:26 . 2008-12-03 17:50 <DIR> d-------- C:\SDFix
2008-12-03 16:01 . 2008-12-03 16:01 <DIR> d-------- C:\VundoFix Backups
2008-12-01 17:17 . 2008-12-01 17:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\windows\system32\drivers\NAV
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Windows Sidebar
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Symantec
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\NortonInstaller
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Norton AntiVirus
2008-12-01 17:16 . 2008-12-01 17:18 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2008-12-01 17:16 . 2008-12-01 17:16 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-01 17:16 . 2008-12-01 17:16 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-01 17:16 . 2008-12-01 17:16 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys
2008-12-01 17:16 . 2008-12-01 17:16 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-01 17:16 . 2008-12-01 17:16 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-12-01 17:06 . 2008-12-01 17:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-01 17:06 . 2008-12-01 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2008-12-01 17:00 . 2008-12-01 17:00 <DIR> d-------- c:\documents and settings\All Users\Symantec Temporary Files
2008-11-26 19:55 . 2008-11-26 19:55 <DIR> d-------- c:\program files\Common Files\Scanner
2008-11-26 19:55 . 2008-11-26 19:57 <DIR> d-------- c:\program files\CA Yahoo! Anti-Spy
2008-11-08 12:30 . 2008-12-04 18:46 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-08 12:30 . 2008-12-04 18:53 28,887 --a------ C:\logfile
2008-11-08 12:30 . 2008-11-08 12:30 1,409 --a------ c:\windows\QTFont.for
2008-11-08 12:24 . 2008-11-08 12:24 <DIR> d-------- c:\program files\QuickTime
2008-11-08 12:24 . 2008-11-08 12:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-08 12:23 . 2008-11-08 12:23 <DIR> d-------- c:\windows\system32\BWKDLogs
2008-11-08 12:22 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-08 12:22 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-11-08 12:21 . 2008-11-08 12:21 <DIR> d-------- c:\program files\Common Files\Kodak
2008-11-08 12:19 . 2008-11-08 12:23 <DIR> d-------- c:\program files\Kodak
2008-11-08 12:18 . 2008-11-08 12:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kodak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 00:08 --------- d-----w c:\program files\Common Files\Adobe
2008-12-04 23:58 --------- d-----w c:\program files\Java
2008-12-01 22:26 --------- d-----w c:\program files\Common Files\EarthLink
2008-12-01 22:15 --------- d-----w c:\program files\McAfee
2008-12-01 22:15 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-01 01:05 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-11-27 22:44 --------- d-----w c:\program files\I Will Pass!
2008-11-27 01:01 --------- d-----w c:\program files\Data Caching
2008-11-15 13:03 6,686 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 11:57 1,846,016 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-06 04:30 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll
2008-09-06 04:29 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe
2008-01-10 23:38 18,827,272 ----a-w c:\program files\RhapsodyReal.exe
.

((((((((((((((((((((((((((((( snapshot@2008-12-04_18.48.47.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 20

42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
+ 2008-12-04 23:58:22 144,792 ----a-w c:\windows\system32\java.exe
+ 2008-12-04 23:58:22 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-04 23:58:22 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-04 23:45:09 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_740.dat
+ 2008-12-04 23:58:46 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_f24.dat
+ 2006-12-02 03:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 03:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 03:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 12:58 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 110592]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-04-17 169472]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"SandIcon"="c:\imagemate compactflash usb\SandIcon.Exe" [2000-11-13 131072]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"582137331"="c:\documents and settings\All Users\Application Data\830483350\582137331.exe" [2008-12-03 1070115]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-04 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-04-17 24576]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"=
"c:\\WINDOWS\\system32\\verclsid.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\McAfee\\SpamKiller\\MSKSrvr.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
"50325:TCP"= 50325:TCP:PORT_50325
"30721:TCP"= 30721:TCP:PORT_30721
"5016:TCP"= 5016:TCP:PORT_5016
"22321:TCP"= 22321:TCP:PORT_22321
"44003:TCP"= 44003:TCP:PORT_44003
"57743:TCP"= 57743:TCP:PORT_57743
"13835:TCP"= 13835:TCP:PORT_13835
"46899:TCP"= 46899:TCP:PORT_46899
"34421:TCP"= 34421:TCP:PORT_34421
"7923:TCP"= 7923:TCP:PORT_7923
"28060:TCP"= 28060:TCP:PORT_28060
"32550:TCP"= 32550:TCP:PORT_32550
"22374:TCP"= 22374:TCP:PORT_22374
"6577:TCP"= 6577:TCP:PORT_6577
"15115:TCP"= 15115:TCP:PORT_15115
"27977:TCP"= 27977:TCP:PORT_27977
"48243:TCP"= 48243:TCP:PORT_48243
"41892:TCP"= 41892:TCP:PORT_41892
"50432:TCP"= 50432:TCP:PORT_50432
"20058:TCP"= 20058:TCP:PORT_20058
"17521:TCP"= 17521:TCP:PORT_17521
"22666:TCP"= 22666:TCP:PORT_22666
"16478:TCP"= 16478:TCP:PORT_16478
"30830:TCP"= 30830:TCP:PORT_30830
"30024:TCP"= 30024:TCP:PORT_30024
"22241:TCP"= 22241:TCP:PORT_22241
"40438:TCP"= 40438:TCP:PORT_40438
"60954:TCP"= 60954:TCP:PORT_60954
"64148:TCP"= 64148:TCP:PORT_64148
"48662:TCP"= 48662:TCP:PORT_48662
"36843:TCP"= 36843:TCP:PORT_36843
"54641:TCP"= 54641:TCP:PORT_54641
"10132:TCP"= 10132:TCP:PORT_10132
"20449:TCP"= 20449:TCP:PORT_20449
"13578:TCP"= 13578:TCP:PORT_13578
"29263:TCP"= 29263:TCP:PORT_29263
"34815:TCP"= 34815:TCP:PORT_34815
"26258:TCP"= 26258:TCP:PORT_26258
"43890:TCP"= 43890:TCP:PORT_43890
"22058:TCP"= 22058:TCP:PORT_22058
"42261:TCP"= 42261:TCP:PORT_42261
"45445:TCP"= 45445:TCP:PORT_45445
"8223:TCP"= 8223:TCP:PORT_8223
"27791:TCP"= 27791:TCP:PORT_27791
"28599:TCP"= 28599:TCP:PORT_28599
"55149:TCP"= 55149:TCP:PORT_55149
"11255:TCP"= 11255:TCP:PORT_11255
"50103:TCP"= 50103:TCP:PORT_50103
"9606:TCP"= 9606:TCP:PORT_9606
"25969:TCP"= 25969:TCP:PORT_25969
"31293:TCP"= 31293:TCP:PORT_31293
"44015:TCP"= 44015:TCP:PORT_44015
"19033:TCP"= 19033:TCP:PORT_19033
"5566:TCP"= 5566:TCP:PORT_5566
"8646:TCP"= 8646:TCP:PORT_8646
"26640:TCP"= 26640:TCP:PORT_26640
"52665:TCP"= 52665:TCP:PORT_52665
"16839:TCP"= 16839:TCP:PORT_16839
"64961:TCP"= 64961:TCP:PORT_64961
"15420:TCP"= 15420:TCP:PORT_15420
"22329:TCP"= 22329:TCP:PORT_22329
"15908:TCP"= 15908:TCP:PORT_15908
"41693:TCP"= 41693:TCP:PORT_41693
"56559:TCP"= 56559:TCP:PORT_56559
"37705:TCP"= 37705:TCP:PORT_37705
"58418:TCP"= 58418:TCP:PORT_58418
"39866:TCP"= 39866:TCP:PORT_39866
"31166:TCP"= 31166:TCP:PORT_31166
"50600:TCP"= 50600:TCP:PORT_50600
"41925:TCP"= 41925:TCP:PORT_41925
"26441:TCP"= 26441:TCP:PORT_26441
"54143:TCP"= 54143:TCP:PORT_54143
"55302:TCP"= 55302:TCP:PORT_55302
"63320:TCP"= 63320:TCP:PORT_63320
"16948:TCP"= 16948:TCP:PORT_16948
"7181:TCP"= 7181:TCP:PORT_7181
"10520:TCP"= 10520:TCP:PORT_10520
"63901:TCP"= 63901:TCP:PORT_63901
"24490:TCP"= 24490:TCP:PORT_24490
"15468:TCP"= 15468:TCP:PORT_15468
"52434:TCP"= 52434:TCP:PORT_52434

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1001000.021\SYMEFA.SYS [2008-12-01 309296]
R1 BHDrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\NAV\1001000.021\BHDrvx86.sys [2008-12-01 255536]
R1 ccHP;Symantec Hash Provider;\??\c:\windows\system32\drivers\NAV\1001000.021\ccHPx86.sys [2008-12-01 362544]
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081203.001\IDSxpx86.sys [2008-12-03 274808]
R2 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll" /prefetch:1 []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-03-11 24652]
R3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-03 38496]
S3 SDSTOR2K;SanDisk USB ImageMate/SecureMate Mass Storage Driver;c:\windows\system32\DRIVERS\SDSTOR2K.SYS [2006-12-11 37781]

*Newly Created Service* - JAVAQUICKSTARTERSERVICE
*Newly Created Service* - MBAMSWISSARMY
.
Contents of the 'Scheduled Tasks' folder

2008-11-22 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2004-08-04 05:00]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe

.
------- Supplementary Scan -------
.
uStart Page = www.cnn.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
LSP: c:\program files\Embarq TotalAccess\Accelerator\prplsf.dll
Trusted Zone: listen.com,%20real.com,%20llnwd.net,%20rhap
Trusted Zone: *.listen.com
Trusted Zone: *.llnwd.net
Trusted Zone: *.real.com
Trusted Zone: rhapapp.real.com

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 19:39:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(968)
c:\program files\Embarq TotalAccess\Accelerator\prplsf.dll
.
Completion time: 2008-12-04 19:39:57
ComboFix-quarantined-files.txt 2008-12-05 00:39:55
ComboFix2.txt 2008-12-05 00:36:11
ComboFix3.txt 2008-12-04 23:49:42

Pre-Run: 142,339,633,152 bytes free
Post-Run: 142,325,522,432 bytes free

312 --- E O F --- 2008-12-03 22:57:03

Hi Katana,
Here is the combofix and malaware log. Your instructions also mentioned a new Hijackthislog. how do I create that? I completed the instructions, including new java and adobe. I'm still receiving winweb secruity pop-ups. I receive a small message in the bottom corner, and two large boxes that appear. One is a winweb system scan, and the other states "winweb security has blocked a program from accessing the web." I click the X and it asks "continue unprotected?" Thank you for your help.

12-04-2008, 05:48 PM	#3 (permalink)
Hokie76 Registered User Join Date: Dec 2008 Posts: 9 OS: XP	Re: Possible Trojan Vondu virus and slow performance. Malwarebytes' Anti-Malware 1.31 Database version: 1460 Windows 5.1.2600 Service Pack 2 12/4/2008 6:08:06 PM mbam-log-2008-12-04 (18-08-06).txt Scan type: Full Scan (C:\\|D:\\|E:\\|) Objects scanned: 185867 Time elapsed: 59 minute(s), 23 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 5 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 108 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\ws.dll (Trojan.FakeAlert) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cc51dbba-12d7-4365-b728-98c2e5db1811} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{cc51dbba-12d7-4365-b728-98c2e5db1811} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\ws.dll (Trojan.FakeAlert) -> Delete on reboot. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115174.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115192.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115245.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115263.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115169.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115172.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115178.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115180.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115184.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115186.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115189.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115194.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115198.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115201.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115204.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115207.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115213.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115216.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115219.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115222.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115225.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115228.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115231.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115234.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115237.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115240.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115243.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115248.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115252.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115254.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115257.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115259.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115262.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115811.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115812.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115813.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115832.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116517.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116518.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116519.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116520.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116521.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116579.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116580.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116581.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116603.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116604.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116606.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116608.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116609.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116610.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116612.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116613.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116617.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116618.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116620.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116621.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116622.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116605.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116641.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116659.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116677.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116625.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116626.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116627.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116628.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116632.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116633.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116635.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116636.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116638.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116639.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116640.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116642.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116643.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116645.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116646.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116647.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116648.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116649.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116650.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116651.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116652.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116653.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116655.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116656.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116658.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116662.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116663.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116664.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116665.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116666.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116668.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116669.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116670.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116672.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116676.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116679.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116681.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116682.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116683.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116685.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116686.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116687.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0117513.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1442\A0118617.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1442\A0118619.dll (Trojan.Vundo) -> Quarantined and deleted successfully. ComboFix ComboFix 08-12-04.04 - Ben 2008-12-04 19:37:42.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.478 [GMT -5:00] Running from: c:\documents and settings\Ben.D9K3CT91.003\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Ben.D9K3CT91.003\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 ))))))))))))))))))))))))))))))) . 2008-12-04 19:08 . 2008-12-04 19:08 <DIR> d-------- c:\program files\Common Files\Adobe AIR 2008-12-04 19:00 . 2008-12-04 19:02 <DIR> d-------- c:\program files\Foxit Software 2008-12-04 19:00 . 2008-12-04 19:00 <DIR> d-------- c:\program files\AskBarDis 2008-12-04 19:00 . 2008-12-04 19:00 <DIR> d-------- c:\documents and settings\Ben.D9K3CT91.003\Application Data\Foxit 2008-12-04 18:58 . 2008-12-04 18:58 410,984 --a------ c:\windows\system32\deploytk.dll 2008-12-04 18:58 . 2008-12-04 18:58 73,728 --a------ c:\windows\system32\javacpl.cpl 2008-12-04 18:30 . 2008-12-04 18:44 198,740 --a------ c:\windows\system32\ws.dll 2008-12-04 17:15 . 2008-12-04 19:35 <DIR> d-------- c:\program files\MSN Messenger 2008-12-03 21:28 . 2008-12-03 21:28 <DIR> d-------- c:\program files\Enigma Software Group 2008-12-03 20:42 . 2008-12-03 20:42 <DIR> d-------- c:\documents and settings\Ben.D9K3CT91.003\Application Data\Malwarebytes 2008-12-03 20:41 . 2008-12-04 17:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-12-03 20:41 . 2008-12-03 20:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-12-03 20:41 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-03 20:41 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-12-03 19:26 . 2008-12-03 19:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-12-03 19:26 . 2008-12-03 20:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-03 18:29 . 2008-12-03 18:49 250 --a------ c:\windows\gmer.ini 2008-12-03 18:07 . 2008-12-03 18:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\830483350 2008-12-03 17:30 . 2008-12-03 17:31 <DIR> d-------- c:\windows\ERUNT 2008-12-03 17:26 . 2008-12-03 17:50 <DIR> d-------- C:\SDFix 2008-12-03 16:01 . 2008-12-03 16:01 <DIR> d-------- C:\VundoFix Backups 2008-12-01 17:17 . 2008-12-01 17:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec 2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\windows\system32\drivers\NAV 2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Windows Sidebar 2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Symantec 2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\NortonInstaller 2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Norton AntiVirus 2008-12-01 17:16 . 2008-12-01 17:18 <DIR> d-------- c:\program files\Common Files\Symantec Shared 2008-12-01 17:16 . 2008-12-01 17:16 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS 2008-12-01 17:16 . 2008-12-01 17:16 60,808 --a------ c:\windows\system32\S32EVNT1.DLL 2008-12-01 17:16 . 2008-12-01 17:16 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys 2008-12-01 17:16 . 2008-12-01 17:16 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT 2008-12-01 17:16 . 2008-12-01 17:16 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF 2008-12-01 17:06 . 2008-12-01 17:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller 2008-12-01 17:06 . 2008-12-01 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton 2008-12-01 17:00 . 2008-12-01 17:00 <DIR> d-------- c:\documents and settings\All Users\Symantec Temporary Files 2008-11-26 19:55 . 2008-11-26 19:55 <DIR> d-------- c:\program files\Common Files\Scanner 2008-11-26 19:55 . 2008-11-26 19:57 <DIR> d-------- c:\program files\CA Yahoo! Anti-Spy 2008-11-08 12:30 . 2008-12-04 18:46 54,156 --ah----- c:\windows\QTFont.qfn 2008-11-08 12:30 . 2008-12-04 18:53 28,887 --a------ C:\logfile 2008-11-08 12:30 . 2008-11-08 12:30 1,409 --a------ c:\windows\QTFont.for 2008-11-08 12:24 . 2008-11-08 12:24 <DIR> d-------- c:\program files\QuickTime 2008-11-08 12:24 . 2008-11-08 12:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer 2008-11-08 12:23 . 2008-11-08 12:23 <DIR> d-------- c:\windows\system32\BWKDLogs 2008-11-08 12:22 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll 2008-11-08 12:22 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll 2008-11-08 12:21 . 2008-11-08 12:21 <DIR> d-------- c:\program files\Common Files\Kodak 2008-11-08 12:19 . 2008-11-08 12:23 <DIR> d-------- c:\program files\Kodak 2008-11-08 12:18 . 2008-11-08 12:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kodak . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-05 00:08 --------- d-----w c:\program files\Common Files\Adobe 2008-12-04 23:58 --------- d-----w c:\program files\Java 2008-12-01 22:26 --------- d-----w c:\program files\Common Files\EarthLink 2008-12-01 22:15 --------- d-----w c:\program files\McAfee 2008-12-01 22:15 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee 2008-12-01 01:05 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore 2008-11-27 22:44 --------- d-----w c:\program files\I Will Pass! 2008-11-27 01:01 --------- d-----w c:\program files\Data Caching 2008-11-15 13:03 6,686 --sha-w c:\windows\system32\KGyGaAvL.sys 2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys 2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe 2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll 2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll 2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll 2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys 2008-09-15 11:57 1,846,016 ------w c:\windows\system32\dllcache\win32k.sys 2008-09-06 04:30 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll 2008-09-06 04:29 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe 2008-01-10 23:38 18,827,272 ----a-w c:\program files\RhapsodyReal.exe . ((((((((((((((((((((((((((((( snapshot@2008-12-04_18.48.47.39 ))))))))))))))))))))))))))))))))))))))))) . + 2007-12-12 2042 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe + 2008-12-04 23:58:22 144,792 ----a-w c:\windows\system32\java.exe + 2008-12-04 23:58:22 144,792 ----a-w c:\windows\system32\javaw.exe + 2008-12-04 23:58:22 148,888 ----a-w c:\windows\system32\javaws.exe + 2008-12-04 23:45:09 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_740.dat + 2008-12-04 23:58:46 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_f24.dat + 2006-12-02 03:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll + 2006-12-02 03:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll + 2006-12-02 03:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}] 2008-11-18 12:58 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 68856] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784] "Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624] "MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 110592] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920] "MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-04-17 169472] "MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688] "SandIcon"="c:\imagemate compactflash usb\SandIcon.Exe" [2000-11-13 131072] "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "582137331"="c:\documents and settings\All Users\Application Data\830483350\582137331.exe" [2008-12-03 1070115] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-04 136600] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-04-17 24576] Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"= "c:\\WINDOWS\\system32\\verclsid.exe"= "c:\\WINDOWS\\system32\\dwwin.exe"= "c:\\Program Files\\McAfee\\SpamKiller\\MSKSrvr.exe"= "c:\\Program Files\\Rhapsody\\rhapsody.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8097:TCP"= 8097:TCP:EarthLink UHP Modem Support "50325:TCP"= 50325:TCP:PORT_50325 "30721:TCP"= 30721:TCP:PORT_30721 "5016:TCP"= 5016:TCP:PORT_5016 "22321:TCP"= 22321:TCP:PORT_22321 "44003:TCP"= 44003:TCP:PORT_44003 "57743:TCP"= 57743:TCP:PORT_57743 "13835:TCP"= 13835:TCP:PORT_13835 "46899:TCP"= 46899:TCP:PORT_46899 "34421:TCP"= 34421:TCP:PORT_34421 "7923:TCP"= 7923:TCP:PORT_7923 "28060:TCP"= 28060:TCP:PORT_28060 "32550:TCP"= 32550:TCP:PORT_32550 "22374:TCP"= 22374:TCP:PORT_22374 "6577:TCP"= 6577:TCP:PORT_6577 "15115:TCP"= 15115:TCP:PORT_15115 "27977:TCP"= 27977:TCP:PORT_27977 "48243:TCP"= 48243:TCP:PORT_48243 "41892:TCP"= 41892:TCP:PORT_41892 "50432:TCP"= 50432:TCP:PORT_50432 "20058:TCP"= 20058:TCP:PORT_20058 "17521:TCP"= 17521:TCP:PORT_17521 "22666:TCP"= 22666:TCP:PORT_22666 "16478:TCP"= 16478:TCP:PORT_16478 "30830:TCP"= 30830:TCP:PORT_30830 "30024:TCP"= 30024:TCP:PORT_30024 "22241:TCP"= 22241:TCP:PORT_22241 "40438:TCP"= 40438:TCP:PORT_40438 "60954:TCP"= 60954:TCP:PORT_60954 "64148:TCP"= 64148:TCP:PORT_64148 "48662:TCP"= 48662:TCP:PORT_48662 "36843:TCP"= 36843:TCP:PORT_36843 "54641:TCP"= 54641:TCP:PORT_54641 "10132:TCP"= 10132:TCP:PORT_10132 "20449:TCP"= 20449:TCP:PORT_20449 "13578:TCP"= 13578:TCP:PORT_13578 "29263:TCP"= 29263:TCP:PORT_29263 "34815:TCP"= 34815:TCP:PORT_34815 "26258:TCP"= 26258:TCP:PORT_26258 "43890:TCP"= 43890:TCP:PORT_43890 "22058:TCP"= 22058:TCP:PORT_22058 "42261:TCP"= 42261:TCP:PORT_42261 "45445:TCP"= 45445:TCP:PORT_45445 "8223:TCP"= 8223:TCP:PORT_8223 "27791:TCP"= 27791:TCP:PORT_27791 "28599:TCP"= 28599:TCP:PORT_28599 "55149:TCP"= 55149:TCP:PORT_55149 "11255:TCP"= 11255:TCP:PORT_11255 "50103:TCP"= 50103:TCP:PORT_50103 "9606:TCP"= 9606:TCP:PORT_9606 "25969:TCP"= 25969:TCP:PORT_25969 "31293:TCP"= 31293:TCP:PORT_31293 "44015:TCP"= 44015:TCP:PORT_44015 "19033:TCP"= 19033:TCP:PORT_19033 "5566:TCP"= 5566:TCP:PORT_5566 "8646:TCP"= 8646:TCP:PORT_8646 "26640:TCP"= 26640:TCP:PORT_26640 "52665:TCP"= 52665:TCP:PORT_52665 "16839:TCP"= 16839:TCP:PORT_16839 "64961:TCP"= 64961:TCP:PORT_64961 "15420:TCP"= 15420:TCP:PORT_15420 "22329:TCP"= 22329:TCP:PORT_22329 "15908:TCP"= 15908:TCP:PORT_15908 "41693:TCP"= 41693:TCP:PORT_41693 "56559:TCP"= 56559:TCP:PORT_56559 "37705:TCP"= 37705:TCP:PORT_37705 "58418:TCP"= 58418:TCP:PORT_58418 "39866:TCP"= 39866:TCP:PORT_39866 "31166:TCP"= 31166:TCP:PORT_31166 "50600:TCP"= 50600:TCP:PORT_50600 "41925:TCP"= 41925:TCP:PORT_41925 "26441:TCP"= 26441:TCP:PORT_26441 "54143:TCP"= 54143:TCP:PORT_54143 "55302:TCP"= 55302:TCP:PORT_55302 "63320:TCP"= 63320:TCP:PORT_63320 "16948:TCP"= 16948:TCP:PORT_16948 "7181:TCP"= 7181:TCP:PORT_7181 "10520:TCP"= 10520:TCP:PORT_10520 "63901:TCP"= 63901:TCP:PORT_63901 "24490:TCP"= 24490:TCP:PORT_24490 "15468:TCP"= 15468:TCP:PORT_15468 "52434:TCP"= 52434:TCP:PORT_52434 R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1001000.021\SYMEFA.SYS [2008-12-01 309296] R1 BHDrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\NAV\1001000.021\BHDrvx86.sys [2008-12-01 255536] R1 ccHP;Symantec Hash Provider;\??\c:\windows\system32\drivers\NAV\1001000.021\ccHPx86.sys [2008-12-01 362544] R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081203.001\IDSxpx86.sys [2008-12-03 274808] R2 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll" /prefetch:1 [] R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-03-11 24652] R3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-03 38496] S3 SDSTOR2K;SanDisk USB ImageMate/SecureMate Mass Storage Driver;c:\windows\system32\DRIVERS\SDSTOR2K.SYS [2006-12-11 37781] Newly Created Service - JAVAQUICKSTARTERSERVICE Newly Created Service - MBAMSWISSARMY . Contents of the 'Scheduled Tasks' folder 2008-11-22 c:\windows\Tasks\EasyShare Registration Task.job - c:\windows\system32\rundll32.exe [2004-08-04 05:00] . - - - - ORPHANS REMOVED - - - - HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe . ------- Supplementary Scan ------- . uStart Page = www.cnn.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html LSP: c:\program files\Embarq TotalAccess\Accelerator\prplsf.dll Trusted Zone: listen.com,%20real.com,%20llnwd.net,%20rhap Trusted Zone: .listen.com Trusted Zone: .llnwd.net Trusted Zone: .real.com Trusted Zone: rhapapp.real.com O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-04 19:39:03 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton AntiVirus] "ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll\" /prefetch:1" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(968) c:\program files\Embarq TotalAccess\Accelerator\prplsf.dll . Completion time: 2008-12-04 19:39:57 ComboFix-quarantined-files.txt 2008-12-05 00:39:55 ComboFix2.txt 2008-12-05 00:36:11 ComboFix3.txt 2008-12-04 23:49:42 Pre-Run: 142,339,633,152 bytes free Post-Run: 142,325,522,432 bytes free 312 --- E O F --- 2008-12-03 22:57:03 Hi Katana, Here is the combofix and malaware log. Your instructions also mentioned a new Hijackthislog. how do I create that? I completed the instructions, including new java and adobe. I'm still receiving winweb secruity pop-ups. I receive a small message in the bottom corner, and two large boxes that appear. One is a winweb system scan, and the other states "winweb security has blocked a program from accessing the web." I click the X and it asks "continue unprotected?" Thank you for your help.