Warning: Spyware has been detected on this computer

[TehSmithster]

Hello,

I'm working on my sisters computer and it is a mess. It has Windows XP withe SP 3 with IE6.

The problem is that there is a blue background that says Spyware has been detected on the computer and an anitvirus program needs to be downloaded. Also, a screensaver keeps popping up that looks like the blue screen of death followed by a fake reboot. The system has slowed down tremendously and almost nothing can be accomplished on it. Also, the user has been partially locked out of the display properties (cannot change backgound or screensaver).

Any help will be appreciated by this point.


Deckard's System Scanner v20071014.68
Run by Jay on 2008-07-06 09:22:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
6: 2008-07-06 14:22:38 UTC - RP1483 - Deckard's System Scanner Restore Point
5: 2008-07-06 06:00:27 UTC - RP1482 - Move file to quarantine: {02478D38-C3F9-4efb-9B51-7695ECA05670}
4: 2008-07-06 05:04:08 UTC - RP1481 - Software Distribution Service 3.0
3: 2008-07-06 03:45:51 UTC - RP1480 - Software Distribution Service 3.0
2: 2008-07-06 02:50:07 UTC - RP1479 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-07-05 00:31:39 UTC - RP1478 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 76% (more than 75%).
Total Physical Memory: 254 MiB (512 MiB recommended).
System Drive C: has 3.77 GiB (less than 15%) free.


-- HijackThis (run as Jay.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:49 AM, on 7/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\iWin Games\iWinGamesInstaller.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\Belkinwcui.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jay\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jay.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.fastaccess.com/launch.asp
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {57c18130-b153-748a-9454-01e4b88a2271} - {1722a88b-4e10-4549-a847-351b03181c75} - (no file)
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~2\SEARCH~1.DLL (file missing)
O2 - BHO: (no name) - {541A3B85-F5FF-46A1-96A9-F07229A1C76A} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Belkin Wireless Utility.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Cl...bridge-c17.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...tup1.0.1.0.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093028707234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1213756921703
O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} - http://www.gamedaily.com/ActiveX/vxpspeeddelivery.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/G...onGameHost.cab
O20 - Winlogon Notify: vtuvwtu - vtuvwtu.dll (file missing)
O21 - SSODL: sPcFPsQ - {D4BDC672-7E17-6CD8-C805-AD84B3F4E60B} - C:\WINDOWS\System32\uux.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iWinGamesInstaller - iWin Inc. - C:\Program Files\iWin Games\iWinGamesInstaller.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StarOpen - Sonic Solutions - (no file)
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8056 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 SSI - c:\windows\system32\drivers\ssi.sys <Not Verified; Webroot Software (www.webroot.com); SpySweeper>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R3 DNINDIS5 (DNINDIS5 NDIS Protocol Driver) - c:\program files\belkin\belkin 802.11g wireless pci card configuration utility\dnindis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780} - c:\windows\temp\1203.tmp (file missing)
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 jfdcd - c:\docume~1\jay\locals~1\temp\jfdcd.sys (file missing)
S3 sysrest.sys - c:\windows\system32\sysrest.sys (file missing)
S3 USBIO (USBIO Driver (usbio.sys)) - c:\windows\system32\drivers\usbio.sys <Not Verified; Thesycon GmbH, Germany; Universal USB Device Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-04 18:02:30 404 --a------ C:\WINDOWS\Tasks\Norton Security Scan.job
2004-10-17 10:37:08 338 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1089666746.job


-- Files created between 2008-06-06 and 2008-07-06 -----------------------------

2008-07-06 00:53:11 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-07-06 00:50:47 0 d-------- C:\Program Files\Security Task Manager
2008-07-05 23:38:37 0 d-------- C:\WINDOWS\Prefetch
2008-07-05 23:18:13 0 d-------- C:\WINDOWS\system32\scripting
2008-07-05 23:18:10 0 d-------- C:\WINDOWS\l2schemas
2008-07-05 23:18:08 0 d-------- C:\WINDOWS\system32\en
2008-07-05 23:09:34 0 d-------- C:\WINDOWS\network diagnostic
2008-07-05 21:14:00 0 d-------- C:\ZonedOut
2008-07-05 21:05:19 0 d-------- C:\Program Files\SpywareBlaster
2008-07-05 20:52:16 60928 --a------ C:\WINDOWS\system32\blphc184j0erba.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-07-05 15:57:16 0 d-------- C:\Program Files\Panda Security
2008-07-05 15:37:23 0 d-------- C:\Program Files\Trend Micro
2008-07-05 15:00:25 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-07-05 15:00:13 78336 --a------ C:\WINDOWS\system32\drivers\ssi.sys <Not Verified; Webroot Software (www.webroot.com); SpySweeper>
2008-07-05 15:00:12 102912 --a------ C:\WINDOWS\system32\islzma.dll
2008-07-05 15:00:01 0 d-------- C:\Program Files\Webroot
2008-07-05 15:00:01 0 d-------- C:\Documents and Settings\Jay\Application Data\Webroot
2008-07-04 22:07:42 0 d-------- C:\Documents and Settings\Brandi\Application Data\WinRAR
2008-07-04 21:33:02 0 d-------- C:\Documents and Settings\Brandi\Application Data\MySpace
2008-07-04 20:36:23 0 d-------- C:\Documents and Settings\Jay\Application Data\WinRAR
2008-07-04 18:56:29 0 dr-h----- C:\Documents and Settings\Jay\Recent
2008-07-04 18:36:23 0 d-------- C:\Program Files\CCleaner
2008-07-04 18:08:47 0 d-------- C:\Documents and Settings\Administrator\Application Data\rhc584j0erba
2008-06-30 09:25:09 0 d-------- C:\WINDOWS\??curity
2008-06-29 22:27:38 0 d-------- C:\Documents and Settings\Jay\Application Data\AXPFixer
2008-06-29 22:27:33 0 d-------- C:\Documents and Settings\Jay\Application Data\AXPDefender
2008-06-29 22:27:22 0 d-------- C:\WINDOWS\PixArt
2008-06-29 22:27:16 0 d-------- C:\Documents and Settings\Jay\Application Data\rhc584j0erba
2008-06-29 22:27:14 0 d-------- C:\Program Files\F?nts
2008-06-29 22:27:13 0 d-------- C:\Program Files\Common Files\Scanner
2008-06-29 22:27:12 0 d-------- C:\Documents and Settings\Dan\Application Data\Yahoo!
2008-06-29 22:27:12 0 d-------- C:\Documents and Settings\Dan\Application Data\shc784j0erba
2008-06-29 22:27:10 0 d-------- C:\Documents and Settings\Jay\Application Data\shc784j0erba
2008-06-29 22:25:24 0 d-------- C:\Program Files\Microsoft Silverlight
2008-06-29 22:25:23 0 d-------- C:\Program Files\?dobe
2008-06-29 22:25:18 0 d-------- C:\report
2008-06-29 22:25:18 0 d-------- C:\Jay
2008-06-29 22:25:18 0 d-------- C:\Documents and Settings\Jay\ShoppingReport
2008-06-29 22:25:18 0 d-------- C:\Documents and Settings\Jay\Documents and Settings
2008-06-29 22:25:18 0 d-------- C:\Documents and Settings\Jay\Application Data\report
2008-06-29 22:25:18 0 d-------- C:\Documents and Settings\Jay\Application Data\Jay
2008-06-29 22:25:18 0 d-------- C:\Documents and Settings\Jay\Application Data\cs
2008-06-29 22:25:18 0 d-------- C:\Application Data <APPLIC~1>
2008-06-26 18:38:59 0 d-------- C:\Program Files\ROBLOX Corporation
2008-06-26 18:38:59 0 d-------- C:\Documents and Settings\Jay\Application Data\ROBLOX
2008-06-26 18:38:59 0 d-------- C:\Documents and Settings\All Users\Application Data\ROBLOX
2008-06-21 11:12:40 0 d---s---- C:\Documents and Settings\Dan\UserData
2008-06-21 1140 0 d-------- C:\Documents and Settings\Dan\Application Data\ShoppingReport
2008-06-21 11:00:55 0 d-------- C:\Documents and Settings\Dan\Application Data\MySpace
2008-06-19 03:02:48 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-07 16:12:54 0 d-------- C:\Program Files\Shockwave.com


-- Find3M Report ---------------------------------------------------------------

2008-07-06 09:18:37 0 d-------- C:\Program Files\Symantec AntiVirus
2008-07-06 01:35:21 0 d-------- C:\Program Files\Common Files
2008-07-05 23:18:50 0 d-------- C:\Program Files\Messenger
2008-07-05 23:18:07 0 d-------- C:\Program Files\Movie Maker
2008-07-05 23:12:16 0 d-------- C:\Program Files\Windows NT
2008-07-05 12:15:17 0 d-------- C:\Program Files\Norton Security Scan
2008-07-04 18:38:11 0 d-------- C:\Program Files\Symantec
2008-07-04 17:32:42 0 d-------- C:\Documents and Settings\Jay\Application Data\Mozilla
2008-07-04 17:29:03 0 d-------- C:\Program Files\Yahoo!
2008-07-04 17:26:54 0 d-------- C:\Program Files\Google
2008-06-29 22:27:55 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-29 22:27:14 0 d-------- C:\Program Files\F?nts
2008-06-29 22:25:23 0 d-------- C:\Program Files\?dobe
2008-06-22 22:02:09 0 d-------- C:\Documents and Settings\Jay\Application Data\MSN6
2008-06-03 07:21:15 0 d-------- C:\Program Files\Nbfpo
2008-05-23 17:28:39 0 d-------- C:\Documents and Settings\Jay\Application Data\Adobe
2008-05-23 17:28:20 0 d-------- C:\Program Files\Adobe Media Player
2008-05-23 17:28:04 0 d-------- C:\Program Files\Common Files\Adobe AIR
2008-05-13 20:33:45 0 d-------- C:\Program Files\Cat Daddy Games
2008-05-13 20:33:42 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-12 20:47:27 0 d-------- C:\Documents and Settings\Jay\Application Data\MySpace
2008-05-12 20:47:22 0 d-------- C:\Program Files\MySpace
2008-04-26 16:08:04 4096 --a------ C:\WINDOWS\d3dx.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1722a88b-4e10-4549-a847-351b03181c75}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D7E3B41-23CE-469B-BE1B-A64B877923E1}]
C:\PROGRA~1\SEARCH~2\SEARCH~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{541A3B85-F5FF-46A1-96A9-F07229A1C76A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990}]
03/05/2008 07:48 AM 78848 --a------ C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/18/2006 07:36 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/03/2006 07:08 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 07:12 PM]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [04/17/2008 06:27 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\Jay\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 9:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless Utility.lnk - C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\Belkinwcui.exe [8/5/2006 8:41:56 AM]
DESKTOP.INI [9/3/2002 9:00:00 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"sPcFPsQ"= {D4BDC672-7E17-6CD8-C805-AD84B3F4E60B} - C:\WINDOWS\System32\uux.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvwtu]
vtuvwtu.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\gebyx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-07-06 09:30:30 ------------

[Glaswegian]

Hi and welcome to TSF.

My name is Iain and I will be helping you clean your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.


Download SDFix and save it to your desktop.
Do not do anything with this yet!




Reboot
Reboot your system in Safe Mode.

• Restart the computer. The computer begins processing a set of instructions known as BIOS.
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key)
• Instead of Windows loading as normal, a menu should appear
• Use the arrow key to highlight Safe Mode and press Enter.

SDBot Fix

• Right click the SDFix.zip folder and choose Extract All,
• Open the extracted folder and double click RunThis.bat to start the script.
• Type Y to begin the script.
• It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• Your system will take longer that normal to restart as the fixtool will be running and removing files.
• When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to the Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back here with a new HijackThis log.

Combofix
Now we'll use ComboFix. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix

**Note: It is important that ComboFix is saved directly to your desktop**

Please ensure you read this guide carefully and install the Recovery Console. This will help us restore your system in the event of a serious crash. It's very simple to complete and will only take a few moments. A quick guide is detailed below.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
See here for a guide to disabling AV, Firewall and Anti-malware programmes.

Once you've downloaded the appropriate RC setup package for your system to the desktop, follow these instructions:

• Drag the setup package onto ComboFix.exe and drop it.
  
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  
• At the next prompt, click 'Yes' to run the full ComboFix scan.
  
  
  
  
  
• When the tool is finished, it will produce a report for you.

Please post the log C:\ComboFix.txt along with a fresh HijackThis log for further review.

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.

[TehSmithster]

Hello and thank you for your help.

This will be a two post update.

This post will contain the SBot report along with Hijackthis.



SDFix: Version 1.203
Run by Administrator on Tue 07/08/2008 at 11:54 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\ADMINI~1\Desktop\SDFix

Checking Services :

Name :
sysrest.sys
{DEF85C80-216A-43ab-AF70-1665EDBE2780}

Path :
\??\C:\WINDOWS\system32\sysrest.sys
\??\C:\WINDOWS\TEMP\1203.tmp

sysrest.sys - Deleted
{DEF85C80-216A-43ab-AF70-1665EDBE2780} - Deleted



Restoring Default Security Values
Restoring Default Hosts File
Restoring Default ScreenSaver value

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\BLPHC1~1.SCR - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\Temp\ed47fa.$ - Deleted

Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the MBR Rootkit Detector by Gmer or CureIt by Dr.Web

Could Not Remove C:\WINDOWS\Temp\bca4e2da.$$$
Could Not Remove C:\WINDOWS\Temp\fa56d7ec.$$$

Folder C:\Temp\tpBe12 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-09 09:21:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Disabled:Kodak Software Updater"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\Reality Pump\\World War III Black Gold\\Setup.exe"="C:\\Program Files\\Reality Pump\\World War III Black Gold\\Setup.exe:*:Disabled:Setup"
"C:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"="C:\\WINDOWS\\SYSTEM32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Safe-Share\\giFT\\giFTl.exe"="C:\\Program Files\\Safe-Share\\giFT\\giFTl.exe:*:Disabled:giFT Loader for SafeShare(http://www.safeshare.com)"
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"="C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe:*:Disabled:LaunchPad"
"C:\\Program Files\\PANZERS - Phase1\\Run\\PANZERS.exe"="C:\\Program Files\\PANZERS - Phase1\\Run\\PANZERS.exe:*:Disabled:-"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"="C:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat:*:Enabled:The Battle for Middle-earth (tm)"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\iWin Games\\iWinGames.exe"="C:\\Program Files\\iWin Games\\iWinGames.exe:*:Enabled:iWin Games application."
"C:\\Program Files\\iWin Games\\WebUpdater.exe"="C:\\Program Files\\iWin Games\\WebUpdater.exe:*:Enabled:iWin Games updater."
"C:\\Documents and Settings\\Jay\\Local Settings\\Temp\\.ttF8.tmp"="C:\\Documents and Settings\\Jay\\Local Settings\\Temp\\.ttF8.tmp:*:Enabled:enable"
"C:\\WINDOWS\\system32\\sysrest32.exe"="C:\\WINDOWS\\system32\\sysrest32.exe:*:Enabled:enable"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

C:\WINDOWS\Temp\bca4e2da.$$$ Found
C:\WINDOWS\Temp\fa56d7ec.$$$ Found

File Backups: - C:\DOCUME~1\ADMINI~1\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 25 Jul 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 11 Feb 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 15 May 2003 43,008 A..H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT40.tmp"
Sun 6 Jul 2008 8,914,472 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4201c5e4a300d9d287d57826449b6e1d\BIT35.tmp"
Wed 17 Nov 2004 0 ...H. --- "C:\Documents and Settings\Jay\Application Data\Microsoft\Word\~WRL2456.tmp"

Finished!




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:18 AM, on 7/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\iWin Games\iWinGamesInstaller.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\Belkinwcui.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.fastaccess.com/launch.asp
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {57c18130-b153-748a-9454-01e4b88a2271} - {1722a88b-4e10-4549-a847-351b03181c75} - (no file)
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~2\SEARCH~1.DLL (file missing)
O2 - BHO: (no name) - {541A3B85-F5FF-46A1-96A9-F07229A1C76A} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Belkin Wireless Utility.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Cl...bridge-c17.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...tup1.0.1.0.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093028707234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1213756921703
O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} - http://www.gamedaily.com/ActiveX/vxpspeeddelivery.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/G...onGameHost.cab
O20 - Winlogon Notify: vtuvwtu - vtuvwtu.dll (file missing)
O21 - SSODL: sPcFPsQ - {D4BDC672-7E17-6CD8-C805-AD84B3F4E60B} - C:\WINDOWS\System32\uux.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iWinGamesInstaller - iWin Inc. - C:\Program Files\iWin Games\iWinGamesInstaller.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StarOpen - Sonic Solutions - (no file)
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8060 bytes

[TehSmithster]

Hello again.

Here is my second post.

This one contains the logs from ComboFix and the most recent Hijackthis.



ComboFix 08-07-08.9 - Jay 2008-07-09 10:35:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.16 [GMT -5:00]
Running from: C:\Documents and Settings\Jay\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jay\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Dan\Application Data\ShoppingReport
C:\Documents and Settings\Dan\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\Dan\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\Dan\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\Dan\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\Dan\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\Dan\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\Dan\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\favicon.ico
C:\Documents and Settings\Jay\Application Data\AXPDefender
C:\Documents and Settings\Jay\Application Data\CROSOF~1
C:\Documents and Settings\Jay\Application Data\ECURIT~1
C:\Documents and Settings\Jay\Application Data\MCROSO~1
C:\Documents and Settings\Jay\Application Data\Microsoft\Internet Explorer\Quick Launch\AXPDefender.lnk
C:\Documents and Settings\Jay\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Protector 2008.lnk
C:\Documents and Settings\Jay\Application Data\RACLE~1
C:\Documents and Settings\Jay\Application Data\SKS~1
C:\Documents and Settings\Jay\Application Data\SMANTE~1
C:\Documents and Settings\Jay\Application Data\SMBOLS~1
C:\Documents and Settings\Jay\Application Data\SSTEM~1
C:\Documents and Settings\Jay\My Documents\APPATC~1
C:\Documents and Settings\Jay\My Documents\CURITY~1
C:\Documents and Settings\Jay\My Documents\FNTS~1
C:\Documents and Settings\Jay\My Documents\ICROSO~1
C:\Documents and Settings\Jay\My Documents\ICROSO~2
C:\Documents and Settings\Jay\My Documents\SKS~1
C:\Documents and Settings\Jay\My Documents\WNSXS~1
C:\Documents and Settings\Jay\My Documents\YSTEM3~1
C:\Program Files\Common Files\pppatc~1
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\smbols~1
C:\Program Files\Common Files\ymbols~1
C:\Program Files\dobe~1
C:\Program Files\fnts~1
C:\Program Files\mbols~1
C:\Program Files\ppatch~1
C:\Program Files\racle~1
C:\WINDOWS\appatc~1
C:\WINDOWS\cookies.ini
C:\WINDOWS\curity~1
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\icroso~1
C:\WINDOWS\racle~1
C:\WINDOWS\smbols~1
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\glkiwjqx.ini
C:\WINDOWS\system32\ineWc01
C:\WINDOWS\system32\instsrv.exe
C:\WINDOWS\system32\mbols~1
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\oeminfo.ini
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\sks~1
C:\WINDOWS\system32\sks~2
C:\WINDOWS\system32\smbols~1
C:\WINDOWS\system32\stem32~1
C:\WINDOWS\system32\tsks~1
C:\WINDOWS\system32\wfxnuljb.ini
C:\WINDOWS\system32\xybeg.ini
C:\WINDOWS\SYSTEM32\xybeg.ini2
C:\WINDOWS\system32\ymante~1
C:\WINDOWS\system32\ymbols~1
C:\WINDOWS\wnsxs~1
C:\WINDOWS\ymante~1

.
((((((((((((((((((((((((( Files Created from 2008-06-09 to 2008-07-09 )))))))))))))))))))))))))))))))
.

2008-07-09 09:12 . <DIR> C:\WINDOWS\LastGood.Tmp
2008-07-08 23:36 . 2008-07-08 23:37 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-08 23:31 . 2008-07-08 23:31 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-07-06 09:21 . 2008-07-06 09:21 <DIR> d-------- C:\Deckard
2008-07-06 00:53 . 2008-07-06 00:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-07-06 00:50 . 2008-07-06 00:51 <DIR> d-------- C:\Program Files\Security Task Manager
2008-07-05 23:18 . 2008-07-05 23:18 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-07-05 23:18 . 2008-07-05 23:18 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-07-05 23:18 . 2008-07-05 23:18 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-05 23:03 . 2008-07-05 22:52 60,928 --a------ C:\WINDOWS\SYSTEM32\79.tmp
2008-07-05 22:35 . 2008-04-13 19:12 712,704 --------- C:\WINDOWS\SYSTEM32\windowscodecs.dll
2008-07-05 22:35 . 2008-04-13 19:12 346,112 --------- C:\WINDOWS\SYSTEM32\windowscodecsext.dll
2008-07-05 22:35 . 2008-04-13 19:12 276,992 --------- C:\WINDOWS\SYSTEM32\wmphoto.dll
2008-07-05 22:35 . 2008-04-13 19:12 69,120 --------- C:\WINDOWS\SYSTEM32\wlanapi.dll
2008-07-05 22:35 . 2008-04-13 19:12 53,248 --------- C:\WINDOWS\SYSTEM32\tsgqec.dll
2008-07-05 22:35 . 2008-04-13 19:12 50,688 --------- C:\WINDOWS\SYSTEM32\tspkg.dll
2008-07-05 22:34 . 2008-04-13 19:12 412,160 --------- C:\WINDOWS\SYSTEM32\photometadatahandler.dll
2008-07-05 22:34 . 2008-04-13 19:12 291,328 --------- C:\WINDOWS\SYSTEM32\qagentrt.dll
2008-07-05 22:34 . 2008-04-13 19:12 290,304 --------- C:\WINDOWS\SYSTEM32\rhttpaa.dll
2008-07-05 22:34 . 2008-04-13 19:12 150,528 --------- C:\WINDOWS\SYSTEM32\qagent.dll
2008-07-05 22:34 . 2008-04-13 19:12 144,384 --------- C:\WINDOWS\SYSTEM32\onex.dll
2008-07-05 22:34 . 2008-04-13 19:12 76,800 --------- C:\WINDOWS\SYSTEM32\qutil.dll
2008-07-05 22:34 . 2008-04-13 19:12 62,464 --------- C:\WINDOWS\SYSTEM32\qcliprov.dll
2008-07-05 22:34 . 2008-04-13 19:12 61,952 --------- C:\WINDOWS\SYSTEM32\rasqec.dll
2008-07-05 22:34 . 2008-04-13 19:12 32,768 --------- C:\WINDOWS\SYSTEM32\setupn.exe
2008-07-05 22:34 . 2008-04-13 13:40 10,240 --------- C:\WINDOWS\SYSTEM32\DRIVERS\sffp_mmc.sys
2008-07-05 22:32 . 2008-04-13 19:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-07-05 22:31 . 2008-04-13 19:11 233,472 --------- C:\WINDOWS\SYSTEM32\azroles.dll
2008-07-05 22:31 . 2008-04-13 19:11 12,800 --------- C:\WINDOWS\SYSTEM32\credssp.dll
2008-07-05 22:31 . 2008-04-13 19:11 7,168 --------- C:\WINDOWS\SYSTEM32\bitsprx4.dll
2008-07-05 22:30 . 2008-04-13 19:11 136,192 --------- C:\WINDOWS\SYSTEM32\aaclient.dll
2008-07-05 22:20 . 2008-07-05 22:10 60,928 --a------ C:\WINDOWS\SYSTEM32\5A.tmp
2008-07-05 21:14 . 2008-07-05 21:24 <DIR> d-------- C:\ZonedOut
2008-07-05 21:05 . 2008-07-05 21:07 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-05 15:58 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys
2008-07-05 15:57 . 2008-07-05 15:57 <DIR> d-------- C:\Program Files\Panda Security
2008-07-05 15:37 . 2008-07-05 15:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-05 15:00 . 2008-07-05 15:00 <DIR> d-------- C:\Program Files\Webroot
2008-07-05 15:00 . 2008-07-05 15:00 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-07-05 15:00 . 2008-07-05 15:00 <DIR> d-------- C:\Documents and Settings\Jay\Application Data\Webroot
2008-07-05 15:00 . 2004-02-11 18:27 102,912 --a------ C:\WINDOWS\SYSTEM32\islzma.dll
2008-07-05 15:00 . 2005-11-16 14:35 78,336 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ssi.sys
2008-07-04 22:08 . 2008-07-04 22:08 16,244 --a------ C:\WINDOWS\SYSTEM32\rrt_is.wav
2008-07-04 22:08 . 2008-07-04 22:08 7,302 --a------ C:\WINDOWS\SYSTEM32\rrt_vf.wav
2008-07-04 22:08 . 2008-07-04 22:08 7,148 --a------ C:\WINDOWS\SYSTEM32\rrt_tv.wav
2008-07-04 22:08 . 2008-07-04 22:08 6,282 --a------ C:\WINDOWS\SYSTEM32\rrt_tn.wav
2008-07-04 21:33 . 2008-07-04 21:33 <DIR> d-------- C:\Documents and Settings\Brandi\Application Data\MySpace
2008-07-04 18:36 . 2008-07-04 18:36 <DIR> d-------- C:\Program Files\CCleaner
2008-07-04 18:08 . 2008-07-04 18:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\rhc584j0erba
2008-06-29 22:27 . 2008-06-29 22:27 <DIR> d-------- C:\WINDOWS\PixArt
2008-06-29 22:27 . 2008-06-29 22:27 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-06-29 22:27 . 2008-06-29 22:27 <DIR> d-------- C:\Documents and Settings\Jay\Application Data\shc784j0erba
2008-06-29 22:27 . 2008-06-29 22:27 <DIR> d-------- C:\Documents and Settings\Jay\Application Data\rhc584j0erba
2008-06-29 22:27 . 2008-06-29 22:27 <DIR> d-------- C:\Documents and Settings\Jay\Application Data\AXPFixer
2008-06-29 22:27 . 2008-06-29 22:27 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\Yahoo!
2008-06-29 22:27 . 2008-06-29 22:27 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\shc784j0erba
2008-06-29 22:25 . 2008-06-29 22:25 <DIR> d-------- C:\report
2008-06-29 22:25 . 2008-06-29 22:25 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-06-29 22:25 . 2008-06-29 22:25 <DIR> d-------- C:\Jay
2008-06-29 22:25 . 2008-06-29 22:25 <DIR> d-------- C:\Documents and Settings\report
2008-06-29 22:25 . 2008-06-29 22:25 <DIR> d-------- C:\Documents and Settings\Jay\ShoppingReport
2008-06-29 22:25 . 2008-06-29 22:25 <DIR> d-------- C:\Documents and Settings\Jay\Documents and Settings
2008-06-29 22:25 . 2008-06-29 22:25 <DIR> d-------- C:\Documents and Settings\Jay\Application Data\report
2008-06-29 22:25 . 2008-06-29 22:25 <DIR> d-------- C:\Documents and Settings\Jay\Application Data\Jay
2008-06-29 22:25 . 2008-06-29 22:25 <DIR> d-------- C:\Documents and Settings\Jay\Application Data\cs
2008-06-29 22:25 . 2008-06-29 22:25 <DIR> d-------- C:\Documents and Settings\cs
2008-06-29 22:25 . 2008-06-29 22:25 <DIR> d-------- C:\Documents and Settings\Application Data
2008-06-29 22:25 . 2008-06-29 22:25 <DIR> d-------- C:\Application Data
2008-06-26 18:38 . 2008-06-26 18:38 <DIR> d-------- C:\Program Files\ROBLOX Corporation
2008-06-26 18:38 . 2008-06-26 18:42 <DIR> d-------- C:\Documents and Settings\Jay\Application Data\ROBLOX
2008-06-26 18:38 . 2008-06-26 18:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ROBLOX
2008-06-23 14:23 . 2005-01-14 09:32 53,248 --a------ C:\WINDOWS\SYSTEM32\PAStiSvc.exe
2008-06-23 14:22 . 2008-04-13 19:12 53,760 --a------ C:\WINDOWS\SYSTEM32\vfwwdm32.dll
2008-06-21 11:12 . 2008-06-29 22:27 <DIR> d---s---- C:\Documents and Settings\Dan\UserData
2008-06-21 11:00 . 2008-06-21 11:00 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\MySpace
2008-06-19 03:02 . 2008-06-29 22:25 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-18 03:40 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-06-18 03:40 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-06-10 17:03 . 2008-05-08 09:02 203,136 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-06-10 17:00 . 2008-06-13 06:05 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-09 16:00 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-07-09 15:23 --------- d-----w C:\Program Files\Norton Security Scan
2008-07-05 20:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-04 23:38 --------- d-----w C:\Program Files\Symantec
2008-07-04 22:29 --------- d-----w C:\Program Files\Yahoo!
2008-07-04 22:26 --------- d-----w C:\Program Files\Google
2008-06-30 03:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-23 03:02 --------- d-----w C:\Documents and Settings\Jay\Application Data\MSN6
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-07 21:13 --------- d-----w C:\Program Files\Shockwave.com
2008-06-03 12:21 --------- d-----w C:\Program Files\Nbfpo
2008-05-23 22:28 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-05-23 22:28 --------- d-----w C:\Program Files\Adobe Media Player
2008-05-14 01:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-14 01:33 --------- d-----w C:\Program Files\Cat Daddy Games
2008-05-13 01:47 --------- d-----w C:\Program Files\MySpace
2008-05-13 01:47 --------- d-----w C:\Documents and Settings\Jay\Application Data\MySpace
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2008-04-21 06:44 666,112 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-04-21 06:44 666,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2008-04-21 06:44 3,066,880 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-04-14 10:42 985,088 ----a-w C:\WINDOWS\SYSTEM32\setupapi.dll
2008-04-14 10:42 11,264 ----a-w C:\WINDOWS\SYSTEM32\spnpinst.exe
2008-04-14 10:41 423,936 ----a-w C:\WINDOWS\SYSTEM32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\SYSTEM32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\SYSTEM32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\SYSTEM32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\SYSTEM32\rdpwsx.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\SYSTEM32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\SYSTEM32\msgina.dll
2008-04-14 00:10 67,584 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pmigrate.dll
2008-04-14 00:10 53,760 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pintlcsd.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\SYSTEM32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\SYSTEM32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\SYSTEM32\msafd.dll
2008-04-14 00:10 175,104 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pintlcsa.dll
2008-04-14 00:10 15,872 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\padrs404.dll
2008-04-14 00:10 15,360 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\padrs804.dll
2008-04-14 00:10 10,240 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tmigrate.dll
2008-04-13 21:00 103,424 ----a-w C:\WINDOWS\SYSTEM32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\SYSTEM32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\SYSTEM32\watchdog.sys
2008-04-13 18:35 24,064 ----a-w C:\WINDOWS\SYSTEM32\pidgen.dll
2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\SYSTEM32\kd1394.dll
2008-04-13 18:31 2,065,792 ----a-w C:\WINDOWS\SYSTEM32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\SYSTEM32\msvcrt40.dll
2008-04-13 18:14 76,800 ------w C:\WINDOWS\SYSTEM32\msshavmsg.dll
2008-04-13 17:39 438,784 ----a-w C:\WINDOWS\SYSTEM32\xpob2res.dll
2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\SYSTEM32\xpsp2res.dll
2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\SYSTEM32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\SYSTEM32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\SYSTEM32\dssenh.dll
2008-04-13 17:27 79,872 ------w C:\WINDOWS\SYSTEM32\msxml6r.dll
2008-04-13 17:27 79,872 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msxml6r.dll
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\SYSTEM32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\SYSTEM32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\SYSTEM32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\SYSTEM32\msorc32r.dll
2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\SYSTEM32\qedwipes.dll
2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\SYSTEM32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\SYSTEM32\browselc.dll
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\SYSTEM32\shdoclc.dll
2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\SYSTEM32\winbrand.dll
2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\SYSTEM32\moricons.dll
2008-04-13 16:43 70,144 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pintlphr.exe
2008-04-13 16:26 56,832 ----a-w C:\WINDOWS\SYSTEM32\mshtmler.dll
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\SYSTEM32\msprivs.dll
2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\SYSTEM32\inetres.dll
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\SYSTEM32\msimsg.dll
2006-09-25 23:40 95,160 ----a-w C:\Documents and Settings\Jay\Application Data\GDIPFONTCACHEV1.DAT
2005-07-03 18:03 0 ---ha-w C:\Documents and Settings\Brandi\hpothb07.dat
2005-07-03 18:02 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2005-04-15 02:00 321 ---ha-w C:\Documents and Settings\Jay\hpothb07.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 18:27 9117696]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-18 07:36 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-03 19:08 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 18:27 9117696]

C:\Documents and Settings\Brett\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2004-11-05 16:57:49 256000]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless Utility.lnk - C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\Belkinwcui.exe [2006-08-05 08:41:56 1523712]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iWin Games\\iWinGames.exe"=
"C:\\Program Files\\iWin Games\\WebUpdater.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS [2005-11-16 14:35]
R2 iWinGamesInstaller;iWinGamesInstaller;C:\Program Files\iWin Games\iWinGamesInstaller.exe [2008-03-05 07:49]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [2003-07-24 12:10]
S3 jfdcd;jfdcd;C:\DOCUME~1\Jay\LOCALS~1\Temp\jfdcd.sys []
S3 PAC7311;Trust WB-3300p Mini HiRes Webcam;C:\WINDOWS\system32\DRIVERS\PA707UCM.SYS [2005-10-18 11:48]

.
Contents of the 'Scheduled Tasks' folder
"2004-10-17 15:37:08 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1089666746.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-07-04 23:02:30 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{1722a88b-4e10-4549-a847-351b03181c75} - (no file)
BHO-{541A3B85-F5FF-46A1-96A9-F07229A1C76A} - (no file)
SSODL-sPcFPsQ-{D4BDC672-7E17-6CD8-C805-AD84B3F4E60B} - C:\WINDOWS\System32\uux.dll
Notify-vtuvwtu - vtuvwtu.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-09 10:54:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [512] 0xFFA3F5A8

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\SYSTEM32\PAStiSvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SYSTEM32\fxssvc.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-09 11:08:02 - machine was rebooted [Jay]
ComboFix-quarantined-files.txt 2008-07-09 16:07:43

Pre-Run: 4,852,224,000 bytes free
Post-Run: 5,199,917,056 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

323 --- E O F --- 2008-07-04 23:51:02




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:38 AM, on 7/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\iWin Games\iWinGamesInstaller.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\Belkinwcui.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.fastaccess.com/launch.asp
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Belkin Wireless Utility.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Cl...bridge-c17.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...tup1.0.1.0.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093028707234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1213756921703
O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} - http://www.gamedaily.com/ActiveX/vxpspeeddelivery.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/G...onGameHost.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iWinGamesInstaller - iWin Inc. - C:\Program Files\iWin Games\iWinGamesInstaller.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StarOpen - Sonic Solutions - (no file)
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7612 bytes

[Glaswegian]

Hi again

You have a serious infection of the boot sector of your hard drive and I’d like to deal with that first.

Please download MBR Rootkit Detector by GMER to your desktop.

• Double click mbr.exe to run a scan.
• It will produce a log on your desktop called mbr.log
• Post the contents of that log in your next reply