Antivirus System Pro + Other possible malware

Grahamiamiam · 07-01-2009, 11:24 AM

I do have Antivirus system pro and its ridicoulus pop-ups infecting my computer now. Also IE will occasionally pop-up w/ a homepage of ******, or other URLs. Its nearly impossible to browse the internet, or install programs as I get the message "xxx.xxx" is infected, would you like to install antivirus software?" Anyway, I hope I get this done right.

also, IE kept popping up while GMER was running, and that may have had an effect on its results. I had to go to safe mode in order to get DDS to run.

DDS (Ver_09-06-26.01) - NTFSx86 NETWORK
Run by Beany at 13:08:24.64 on Wed 07/01/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.800 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
svchost
C:\Documents and Settings\Beany\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: BHO: {029d18cb-8632-463c-93b7-c210ae50c722} - c:\windows\system32\iehelper.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LowRiskFileTypes] c:\windows\sysguard.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DLCDCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCDtime.dll,_RunDLLEntry@16
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [sysldtray] c:\windows\ld11.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\extend~1.lnk - c:\windows\ehome\RMSysTry.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-30 64160]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-12-8 2440120]
S2 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2009-6-29 16512]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-11-18 23888]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-24 101936]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090630.032\NAVENG.SYS [2009-6-30 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090630.032\NAVEX15.SYS [2009-6-30 876144]

=============== Created Last 30 ================

2009-07-01 12:23 <DIR> --d----- c:\docume~1\beany\applic~1\GetRightToGo
2009-07-01 10:51 <DIR> --d----- c:\windows\system32\appmgmt
2009-07-01 10:38 <DIR> --d----- c:\program files\Trend Micro
2009-07-01 06:34 0 a------- c:\windows\567788.bat
2009-07-01 06:34 33,792 a------- c:\windows\strt_1246444477.exe
2009-06-30 22:01 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-30 21:56 <DIR> --d----- c:\program files\Lavasoft
2009-06-30 21:31 2 a------- c:\windows\0101120101465749.dat
2009-06-30 21:31 1 ----h--- c:\windows\bf23567.dat
2009-06-30 21:31 33,792 a------- c:\windows\freddy49.exe
2009-06-30 20:41 12,544 a------- c:\windows\system32\iehelper.dll
2009-06-30 20:31 304,896 a------- c:\windows\sysguard.exe
2009-06-30 20:31 2 a------- c:\windows\010112010146118114.dat
2009-06-30 20:31 28,160 ----h--- c:\windows\ld11.exe
2009-06-29 15:47 22,528 a------- c:\windows\system32\WNASPI32.DLL
2009-06-29 15:47 16,512 a------- c:\windows\system32\drivers\ASPI32.SYS
2009-06-27 19:15 93 a------- c:\windows\system32\SKYNETdorpowds.dat
2009-06-27 13:04 <DIR> --d----- c:\program files\Zango
2009-06-24 21:32 32,592 a------- c:\windows\system32\msonpmon.dll
2009-06-24 21:12 <DIR> --dsh--- c:\documents and settings\beany\IECompatCache
2009-06-24 21:11 <DIR> --dsh--- c:\documents and settings\beany\PrivacIE
2009-06-24 21:10 <DIR> --dsh--- c:\documents and settings\beany\IETldCache
2009-06-24 21:07 <DIR> --d----- c:\windows\ie8updates
2009-06-24 21:06 <DIR> -cd-h--- c:\windows\ie8
2009-06-24 21:05 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-06-24 21:05 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-06-24 21:05 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-24 21:05 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-24 21:05 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-06-24 21:00 2 a------- c:\windows\msoffice.ini
2009-06-24 20:50 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-24 20:50 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2009-06-24 20:50 10,563 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-24 20:50 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-24 20:49 <DIR> --d----- c:\program files\Symantec
2009-06-24 20:49 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-06-24 20:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-06-24 20:49 <DIR> --d----- C:\IUware Online
2009-06-22 06:38 93 a------- c:\windows\system32\SKYNET.dat
2009-06-20 17:51 <DIR> --d----- c:\docume~1\beany\applic~1\Malwarebytes
2009-06-20 17:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-20 16:51 130,781 a------- c:\windows\system32\SKYNETeoxoyptq.dat
2009-06-20 01:50 <DIR> --d----- c:\windows\system32\scripting
2009-06-20 01:50 <DIR> --d----- c:\windows\l2schemas
2009-06-20 01:50 <DIR> --d----- c:\windows\system32\en
2009-06-20 01:50 <DIR> --d----- c:\windows\system32\bits
2009-06-20 01:47 <DIR> --d----- c:\windows\ServicePackFiles
2009-06-20 01:45 <DIR> --d----- c:\windows\network diagnostic
2009-06-20 01:18 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-06-20 01:16 295,424 -------- c:\windows\system32\dllcache\termsrv.dll
2009-06-18 09:23 <DIR> --d----- c:\docume~1\beany\applic~1\Corel Photo Album
2009-06-18 09:22 3,350 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-06-18 09:22 88 ---shr-- c:\windows\system32\DF12408E5B.sys
2009-06-15 13:06 <DIR> --d-h--- c:\windows\PIF
2009-06-14 22:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Last.fm
2009-06-14 22:58 <DIR> --d----- c:\program files\Last.fm
2009-06-14 22:18 <DIR> --d----- c:\docume~1\beany\applic~1\DemoCreator
2009-06-14 18:16 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-14 18:16 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-14 17:28 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-06-14 17:11 3,727,720 a------- c:\windows\system32\d3dx9_35.dll
2009-06-14 17:11 81,768 a------- c:\windows\system32\xinput1_3.dll
2009-06-14 13:08 <DIR> --d----- c:\program files\uTorrent
2009-06-14 13:08 <DIR> --d----- c:\docume~1\beany\applic~1\uTorrent
2009-06-14 13:07 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-06-14 13:07 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-14 11:08 <DIR> --d----- c:\program files\dl_Cats
2009-06-14 11:02 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-06-14 11:02 87,040 a------- c:\windows\system32\wiafbdrv.dll
2009-06-14 11:02 87,040 a------- c:\windows\system32\dllcache\wiafbdrv.dll
2009-06-14 10:57 4,128 a------- C:\INFCACHE.1
2009-06-14 01:09 <DIR> --d----- c:\program files\MSXML 4.0
2009-06-14 01:05 276,992 -------- c:\windows\system32\wmphoto.dll
2009-06-14 01:03 180,360 -------- c:\windows\system32\drivers\ntmtlfax.sys
2009-06-14 01:02 6,144 -------- c:\windows\system32\kbdiultn.dll
2009-06-14 01:01 650,752 -------- c:\windows\system32\dot3ui.dll
2009-06-14 00:47 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-06-14 00:47 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-14 00:47 <DIR> --d----- c:\program files\iPod
2009-06-14 00:47 <DIR> --d----- c:\program files\iTunes
2009-06-14 00:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-14 00:47 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-06-14 00:47 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-14 00:44 <DIR> --d----- c:\program files\Bonjour
2009-06-14 00:35 203,136 -------- c:\windows\system32\dllcache\rmcast.sys
2009-06-14 00:35 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-06-14 00:35 2,330,624 -------- c:\windows\system32\dllcache\WMVCore.dll
2009-06-14 00:35 333,952 -------- c:\windows\system32\dllcache\srv.sys
2009-06-14 00:35 331,776 -------- c:\windows\system32\dllcache\msadce.dll
2009-06-14 00:35 691,712 -------- c:\windows\system32\dllcache\inetcomm.dll
2009-06-14 00:34 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2009-06-14 00:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2009-06-14 00:34 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2009-06-14 00:34 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-06-14 00:34 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-06-14 00:34 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-06-14 00:34 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-06-14 00:32 8,192 a------- c:\windows\REGLOCS.OLD
2009-06-14 00:32 21,504 a------- c:\windows\system32\hidserv.dll
2009-06-14 00:32 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2009-06-14 00:32 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-06-14 00:32 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-06-14 00:32 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-06-14 00:32 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-06-13 23:39 <DIR> --d----- c:\windows\system32\PreInstall
2009-06-13 23:38 <DIR> --d----- c:\program files\DellSupport
2009-06-13 23:38 <DIR> --dsh--- c:\documents and settings\beany\UserData
2009-06-13 23:36 <DIR> --d----- c:\windows\system32\LogFiles
2009-06-13 23:36 <DIR> --d----- c:\docume~1\beany\applic~1\McAfee.com Personal Firewall
2009-06-13 23:35 <DIR> --d----- c:\documents and settings\Beany

==================== Find3M ====================

2009-06-20 01:53 89,191 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 5,936,128 -------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 17:22 1,207,808 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 17:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 17:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 07:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-29 00:46 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll

============= FINISH: 13:08:33.57 ===============

sjb007 · 07-02-2009, 12:57 AM

Howdy there and welcome to TSF Forums

I'm Steve and I will be helping you throughout this fix.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence.

Vista users please make sure you all run commands with administrator rights (right click icon - run as administrator)

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription

Please note that the forum is very busy and if I don't hear from you within three days from this initial posting then the thread will be closed.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Please scan with a fresh copy of GMER

This time I want you to rename it before you save it to your hard drive. When promted save the file as arkscan

First delete the version of GMER that you are currently running.

Download GMER Rootkit Scanner from here or here.

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
Save it where you can easily find it, such as your desktop and attach it in your next reply

Grahamiamiam · 07-02-2009, 08:03 AM

Hi, Steve
Thanks for the support.
I, at one time, had Mcafee installed on my computer, I don't believe it is now, as its not in Add/Remove Programs, active processes in tskmanager, nor are any program files from it found in C:/
For another odd reason, its Spamkiller was supposed to run on startup, as I learned from msconfig. So I've disabled that, and otherwise, I don't really believe Mcafee still exists on my computer. Would it still be safe to run Combofix?

Grahamiamiam · 07-02-2009, 03:01 PM

Here is attached GMER scan.

sjb007 · 07-02-2009, 04:21 PM

Hi there Graham

Yes it will be safe to run combofix, once done post back with the resulting log

Grahamiamiam · 07-02-2009, 05:32 PM

ComboFix.txt attatched.

ComboFix 09-07-02.02 - Beany 07/02/2009 19:20.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.758 [GMT -4:00]
Running from: c:\documents and settings\Beany\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\zango
c:\program files\zango\bin\10.3.85.0\HostOE.dll
c:\windows\010112010146118114.dat
c:\windows\freddy49.exe
c:\windows\Installer\1022d9.msi
c:\windows\Installer\1022da.msp
c:\windows\kb913800.exe
c:\windows\ld11.exe
c:\windows\sysguard.exe
c:\windows\system32\iehelper.dll
c:\windows\system32\SKYNETdorpowds.dat
c:\windows\system32\SKYNETeoxoyptq.dat
c:\windows\system32\wbem\proquota.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-07-02 )))))))))))))))))))))))))))))))
.

2009-07-02 23:23 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-02 21:55 . 2009-07-02 21:55 29184 ----a-w- c:\windows\system32\gdi32lib.dll
2009-07-01 17:05 . 2009-07-01 17:05 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-07-01 16:23 . 2009-07-01 16:24 -------- d-----w- c:\documents and settings\Beany\Application Data\GetRightToGo
2009-07-01 14:38 . 2009-07-01 14:38 -------- d-----w- c:\program files\Trend Micro
2009-07-01 10:34 . 2009-07-01 10:34 0 ----a-w- c:\windows\567788.bat
2009-07-01 10:34 . 2009-07-01 10:34 33792 ----a-w- c:\windows\strt_1246444477.exe
2009-07-01 02:01 . 2009-07-01 02:01 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-01 01:56 . 2009-07-01 09:25 -------- d-----w- c:\program files\Lavasoft
2009-07-01 01:56 . 2009-07-01 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-01 01:31 . 2009-07-01 01:31 2 ----a-w- c:\windows\0101120101465749.dat
2009-07-01 01:31 . 2009-07-01 01:31 1 ---h--w- c:\windows\bf23567.dat
2009-06-29 19:47 . 2002-07-17 13:05 16512 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2009-06-29 19:47 . 2001-03-18 02:34 22528 ----a-w- c:\windows\system32\WNASPI32.DLL
2009-06-25 13:11 . 2009-06-25 13:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-25 01:32 . 2006-10-26 23:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-06-25 01:31 . 2009-06-25 01:31 -------- d-----w- c:\program files\Microsoft Works
2009-06-25 01:31 . 2009-06-25 01:31 -------- d-----w- c:\program files\MSBuild
2009-06-25 01:30 . 2009-06-25 01:30 -------- d-----w- c:\program files\Microsoft.NET
2009-06-25 01:27 . 2009-06-25 01:27 -------- d-----w- c:\documents and settings\Beany\Local Settings\Application Data\Microsoft Help
2009-06-25 01:27 . 2009-06-25 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-25 01:27 . 2009-06-25 01:27 -------- d--h--r- C:\MSOCache
2009-06-25 01:12 . 2009-06-25 01:12 -------- d-sh--w- c:\documents and settings\Beany\IECompatCache
2009-06-25 01:11 . 2009-06-25 01:11 -------- d-sh--w- c:\documents and settings\Beany\PrivacIE
2009-06-25 01:10 . 2009-06-25 01:10 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-25 01:10 . 2009-06-25 01:10 -------- d-sh--w- c:\documents and settings\Beany\IETldCache
2009-06-25 01:07 . 2009-06-25 01:07 -------- d-----w- c:\windows\ie8updates
2009-06-25 01:06 . 2009-06-25 01:06 -------- dc-h--w- c:\windows\ie8
2009-06-25 01:05 . 2009-06-02 10:12 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-06-25 01:05 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-25 01:05 . 2009-04-30 21:22 1985024 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-06-25 01:05 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-25 01:05 . 2009-04-30 21:22 11064832 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-06-25 00:51 . 2009-06-25 00:51 -------- d-----w- c:\documents and settings\Beany\Local Settings\Application Data\Symantec
2009-06-25 00:50 . 2009-06-25 00:50 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-06-25 00:50 . 2009-06-25 00:50 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-25 00:50 . 2009-01-21 19:24 2584848 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{3BAB4914-9CC1-4CC2-A3DA-56EF62DFD373}\WindowsInstaller-KB893803-x86.exe
2009-06-25 00:49 . 2009-06-25 00:51 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-25 00:49 . 2009-06-25 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-25 00:49 . 2009-06-25 00:50 -------- d-----w- c:\program files\Symantec
2009-06-25 00:49 . 2009-01-21 19:24 927088 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{3BAB4914-9CC1-4CC2-A3DA-56EF62DFD373}\LuCheck.exe
2009-06-25 00:49 . 2009-01-21 19:24 669000 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{3BAB4914-9CC1-4CC2-A3DA-56EF62DFD373}\smcinst.exe
2009-06-25 00:49 . 2009-01-21 19:24 3554472 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{3BAB4914-9CC1-4CC2-A3DA-56EF62DFD373}\LUSETUP.EXE
2009-06-25 00:49 . 2009-01-21 19:24 300432 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{3BAB4914-9CC1-4CC2-A3DA-56EF62DFD373}\Setup.exe
2009-06-25 00:49 . 2009-06-25 01:26 -------- d-----w- C:\IUware Online
2009-06-23 18:43 . 2009-06-23 18:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-06-22 10:38 . 2009-06-22 10:38 93 ----a-w- c:\windows\system32\SKYNET.dat
2009-06-21 15:44 . 2009-06-21 15:44 -------- d-----w- c:\documents and settings\Beany\Local Settings\Application Data\Identities
2009-06-21 03:54 . 2009-06-21 03:54 1896448 ----a-w- c:\documents and settings\Beany\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\dplugins\2.0.1.571\DiagPlugin.dll
2009-06-21 03:54 . 2009-06-21 03:54 123138 ----a-w- c:\documents and settings\Beany\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\HTML\MakeDesktopShortcut.EXE
2009-06-20 21:51 . 2009-06-20 21:51 -------- d-----w- c:\documents and settings\Beany\Application Data\Malwarebytes
2009-06-20 21:51 . 2009-06-20 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-20 21:32 . 2009-06-20 21:33 -------- d-----w- c:\program files\Windows Live Safety Center
2009-06-20 05:50 . 2009-06-20 05:50 -------- d-----w- c:\windows\system32\scripting
2009-06-20 05:50 . 2009-06-20 05:50 -------- d-----w- c:\windows\l2schemas
2009-06-20 05:50 . 2009-06-20 05:50 -------- d-----w- c:\windows\system32\en
2009-06-20 05:50 . 2009-06-20 05:50 -------- d-----w- c:\windows\system32\bits
2009-06-20 05:47 . 2009-06-20 05:47 -------- d-----w- c:\windows\ServicePackFiles
2009-06-20 05:18 . 2009-06-20 05:18 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-06-20 05:16 . 2008-04-15 15:17 295424 ------w- c:\windows\system32\dllcache\termsrv.dll
2009-06-18 13:23 . 2009-06-18 13:23 -------- d-----w- c:\documents and settings\Beany\Application Data\Corel Photo Album
2009-06-18 13:23 . 2009-06-18 13:23 -------- d-----w- c:\documents and settings\Beany\Local Settings\Application Data\Corel Photo Album
2009-06-18 13:22 . 2009-06-25 01:39 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-06-18 13:22 . 2009-06-25 01:39 88 --sh--r- c:\windows\system32\DF12408E5B.sys
2009-06-16 02:13 . 2009-06-28 18:38 41432 ----a-w- c:\documents and settings\Beany\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-15 17:06 . 2009-06-15 17:06 -------- d--h--w- c:\windows\PIF
2009-06-15 07:18 . 2009-06-15 07:18 -------- d-----w- c:\documents and settings\Beany\Local Settings\Application Data\Adobe
2009-06-15 07:18 . 2009-06-15 07:18 -------- d-----w- c:\documents and settings\Beany\Application Data\AdobeUM
2009-06-15 07:16 . 2009-06-15 07:16 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-15 02:59 . 2009-06-15 02:59 92 ----a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\uninst2.bat
2009-06-15 02:59 . 2009-06-15 02:59 683801 ----a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\UninstITW\unins000.exe
2009-06-15 02:59 . 2009-06-15 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Last.fm
2009-06-15 02:58 . 2009-06-15 02:58 -------- d-----w- c:\documents and settings\Beany\Local Settings\Application Data\Last.fm
2009-06-15 02:58 . 2009-06-15 02:58 -------- d-----w- c:\program files\Last.fm
2009-06-15 02:18 . 2009-06-15 02:25 -------- d-----w- c:\documents and settings\Beany\Application Data\DemoCreator
2009-06-15 02:16 . 2009-06-15 02:16 -------- d-----w- c:\windows\Sun
2009-06-14 22:16 . 2009-06-14 22:15 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-14 22:15 . 2009-06-14 22:15 152576 ----a-w- c:\documents and settings\Beany\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-14 21:28 . 2009-06-14 21:28 -------- d-----w- c:\documents and settings\Beany\Local Settings\Application Data\Aspyr
2009-06-14 21:28 . 2009-06-14 21:28 -------- d--h--r- c:\documents and settings\Beany\Application Data\SecuROM
2009-06-14 21:28 . 2009-06-14 21:28 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-06-14 21:11 . 2007-07-19 22:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2009-06-14 21:11 . 2007-04-04 22:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2009-06-14 17:08 . 2009-06-14 17:08 -------- d-----w- c:\program files\uTorrent
2009-06-14 17:08 . 2009-07-01 14:51 -------- d-----w- c:\documents and settings\Beany\Application Data\uTorrent
2009-06-14 15:08 . 2009-07-01 09:34 -------- d-----w- c:\program files\dl_Cats
2009-06-14 15:02 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-06-14 15:02 . 2001-08-18 02:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2009-06-14 15:02 . 2001-08-18 02:36 87040 ----a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2009-06-14 14:58 . 2009-06-14 14:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee.com Personal Firewall
2009-06-14 05:09 . 2009-06-14 05:09 -------- d-----w- c:\program files\MSXML 4.0
2009-06-14 05:05 . 2008-04-14 00:12 276992 ------w- c:\windows\system32\wmphoto.dll
2009-06-14 05:03 . 2004-08-04 02:41 180360 ------w- c:\windows\system32\drivers\ntmtlfax.sys
2009-06-14 05:02 . 2008-04-14 00:09 6144 ------w- c:\windows\system32\kbdiultn.dll
2009-06-14 05:01 . 2008-04-14 00:11 650752 ------w- c:\windows\system32\dot3ui.dll
2009-06-14 04:48 . 2009-06-14 04:48 -------- d-----w- c:\documents and settings\Beany\Application Data\Apple Computer
2009-06-14 04:47 . 2009-03-19 20:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-14 04:47 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-06-14 04:47 . 2009-06-14 04:47 -------- d-----w- c:\program files\iPod
2009-06-14 04:47 . 2009-06-15 02:59 -------- d-----w- c:\program files\iTunes
2009-06-14 04:47 . 2009-06-14 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-14 04:47 . 2009-06-05 15:42 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-14 04:47 . 2009-07-01 02:01 -------- dc----w- c:\windows\system32\DRVSTORE
2009-06-14 04:47 . 2009-06-05 15:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-14 04:46 . 2009-06-14 04:47 -------- d-----w- c:\program files\Common Files\Apple
2009-06-14 04:44 . 2009-06-14 04:44 -------- d-----w- c:\program files\Bonjour
2009-06-14 04:43 . 2009-06-14 04:44 -------- d-----w- c:\program files\QuickTime
2009-06-14 04:43 . 2009-06-14 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-14 04:43 . 2009-06-14 04:43 -------- d-----w- c:\documents and settings\Beany\Local Settings\Application Data\Apple
2009-06-14 04:43 . 2009-06-14 04:43 -------- d-----w- c:\program files\Apple Software Update
2009-06-14 04:43 . 2009-06-14 04:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-14 04:42 . 2009-06-14 04:48 -------- d-----w- c:\documents and settings\Beany\Local Settings\Application Data\Apple Computer
2009-06-14 04:35 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2009-06-14 04:35 . 2008-10-24 11:21 455296 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-06-14 04:35 . 2008-06-11 06:58 2330624 ------w- c:\windows\system32\dllcache\WMVCore.dll
2009-06-14 04:35 . 2008-12-11 10:57 333952 ------w- c:\windows\system32\dllcache\srv.sys
2009-06-14 04:35 . 2008-05-01 14:33 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2009-06-14 04:35 . 2008-04-11 19:04 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll
2009-06-14 04:34 . 2008-10-03 10:02 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-06-14 04:34 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2009-06-14 04:34 . 2008-09-04 17:15 1106944 ------w- c:\windows\system32\dllcache\msxml3.dll
2009-06-14 04:34 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-14 04:34 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-06-14 04:32 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-06-14 04:32 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-01 01:27 . 2006-07-06 02:55 -------- d-----w- c:\program files\WildTangent
2009-06-25 01:00 . 2006-07-06 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-06-25 01:00 . 2006-07-06 02:52 -------- d-----w- c:\program files\Common Files\AOL
2009-06-25 00:50 . 2009-06-25 00:50 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-25 00:50 . 2009-06-25 00:50 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-20 05:53 . 2005-08-16 09:41 89191 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-20 05:20 . 2009-06-20 05:19 127 ----a-w- c:\documents and settings\MCX1\Local Settings\Application Data\fusioncache.dat
2009-06-16 17:55 . 2009-06-14 03:35 128 ----a-w- c:\documents and settings\Beany\Local Settings\Application Data\fusioncache.dat
2009-06-14 22:15 . 2006-07-06 02:47 -------- d-----w- c:\program files\Java
2009-06-14 17:07 . 2009-06-14 17:07 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-06-14 17:07 . 2009-06-14 17:07 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-14 09:39 . 2006-07-06 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
2009-06-14 03:41 . 2009-06-14 03:35 -------- d--h--w- c:\documents and settings\Beany\Application Data\Gtek
2009-05-13 05:15 . 2005-08-16 09:18 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2005-08-16 09:18 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2005-08-16 09:18 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2005-08-16 09:18 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3113c6d7-d1bf-4096-94fe-5df265ac881d}]
2009-07-02 21:55 29184 ----a-w- c:\windows\system32\gdi32lib.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-15 7323648]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-07-06 169984]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"DLCDCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2006-02-24 73728]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-14 148888]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-7-5 24576]
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec AntiVirus"=2 (0x2)
"SmcService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"SNAC"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"="1"
"AntiVirusDisableNotify"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dlcdcoms.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/30/2009 10:01 PM 64160]
S2 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [6/29/2009 3:47 PM 16512]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/18/2008 6:17 PM 23888]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/24/2009 8:58 PM 101936]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - IPOD_SERVICE
*Deregistered* - aujasnkj

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{029D18CB-8632-463c-93B7-C210AE50C722} - c:\windows\system32\iehelper.dll
HKCU-Run-LowRiskFileTypes - c:\windows\sysguard.exe
SafeBoot-Symantec Antvirus

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: musicmatch.com\online
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-02 19:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCDCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-07-02 19:25
ComboFix-quarantined-files.txt 2009-07-02 23:25

Pre-Run: 192,008,486,912 bytes free
Post-Run: 192,146,763,776 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

303 --- E O F --- 2009-06-21 07:00

sjb007 · 07-03-2009, 12:51 AM

Hi there

Close any open browsers.

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
c:\windows\system32\gdi32lib.dll
c:\windows\567788.bat
c:\windows\strt_1246444477.exe
c:\windows\0101120101465749.dat
c:\windows\bf23567.dat
c:\windows\system32\SKYNET.dat

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3113c6d7-d1bf-4096-94fe-5df265ac881d}]

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply

================================================

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

================================================

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Please note that this may take some time to complete

**Vista users - right click IE/Firefox icon and run as administrator

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:

**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post back with the Kaspersky results and the combofix log in your next reply, also keep update me on how things are running now

Grahamiamiam · 07-03-2009, 10:06 AM

Combo-fix log and Kaspersky log attached.

I booted back out of safe mode, and now everything seems to be working just fine. No more pop ups, Google redirects, etc,
Looks as if everything Kaspersky found has been quarantined.
Thanks so much for all of your help.

sjb007 · 07-03-2009, 12:51 PM

Hi Graham

Good to hear things are running better, all is looking good log wise. You can now empty out the files contained in quarantine folders by Symantec. One thing I do notice is that you are running 2 anti virus programs. (McAfee VirusScan/Symantec Endpoint Protection) Although this may seem like a sound idea to double your protection, you are actually putting your system at risk from conflicts and slowdowns as they fight for superiority. I would choose from just one from what you are running and uninstall the other.

Now that you appear to be free from malware lets help you stay that way!

IMPORTANT

The following will uninstall combofix and implement some cleanup procedures as well as reset System Restore points:

Windows XP Users: Click Start > Select Run and copy/paste the following bolded text below into the Run box and click OK:

Windows Vista Users: Press the Windows key and r to brin up the run dialogue, copy and paste the text below into the run box and click OK:

ComboFix /u

Update windows on a regular basis - If you do not have automatic updates enabled then visit Microsoft's Update Page and update your computer from there.

Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions.
Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more information on firewalls read this article here

Safer Browsing
Use software such as Web of Trust to help you stay away from unsuspecting sites that have malicious purposes.
Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects)

Use an alternative browser
Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser.

NB: Please note that although your browser may be more secure without active x it will not throw a ring of steel around your computer. If you purposly visit sites that are dubious in nature then infection will prevail.

Computer Maintenance
Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis.

Scan your computer regularly for malware
Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy can help you stay clear. Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) and SUPERAntiSpyware- Please note that these products can also be run as free without a licience as a scan on demand scanner.

Secure your router
Change your routers default username and password, do not leave it at factory preset, doing so makes it easy for unauthorised access.

Encrypt your network. Set your wireless network encryption to a minimum level of WPA-PSK [TKIP]. This will help prevent any unauthorised users "piggybacking" onto your network and stealing your bandwidth which you have rightly paid for.

I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet.

-> So How Did I Get Infected In First Place - By TonyKlein
-> How to prevent Malware - By miekiemoes
-> I'm not pulling your leg, honest - By Sandi Hardmeie

**Kindly respond one more time and let me know if we may consider this thread resolved.

Grahamiamiam · 07-03-2009, 11:13 PM

Yes, I have taken your advice and installed a more secure firewall, along with Spywareblaster, among other things.
Yes, I would call this resolved. Thanks again.

07-02-2009, 12:57 AM	#2 (permalink)
sjb007 Analyst, Security Team Join Date: Dec 2007 Location: Lincoln UK Posts: 2,257 OS: Windows 7 Premium x64 My System	Re: Antivirus System Pro + Other possible malware Howdy there and welcome to TSF Forums I'm Steve and I will be helping you throughout this fix. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence. Vista users please make sure you all run commands with administrator rights (right click icon - run as administrator) Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription Please note that the forum is very busy and if I don't hear from you within three days from this initial posting then the thread will be closed. We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Please include the C:\ComboFix.txt in your next reply for further review. Please scan with a fresh copy of GMER This time I want you to *rename it before you save it* to your hard drive. When promted save the file as arkscan First delete the version of GMER that you are currently running. Download GMER Rootkit Scanner from here or here. Extract the contents of the zipped file to desktop. Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent . If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO. Click the image to enlarge it In the right panel, you will see several boxes that have been checked. Uncheck the following ... Sections IAT/EAT Drives/Partition other than Systemdrive (typically C:\) Show All (don't miss this one) Then click the Scan button & wait for it to finish. Once done click on the [Save..] button, and in the File name area, type in "ark.txt" Save it where you can easily find it, such as your desktop and *attach* it in your next reply __________________ If we have helped you then please consider donating Proud Member of ASAP & UNITE Since 2007

07-02-2009, 08:03 AM	#3 (permalink)
Grahamiamiam Registered User Join Date: Jul 2009 Posts: 6 OS: WinXP	Re: Antivirus System Pro + Other possible malware Hi, Steve Thanks for the support. I, at one time, had Mcafee installed on my computer, I don't believe it is now, as its not in Add/Remove Programs, active processes in tskmanager, nor are any program files from it found in C:/ For another odd reason, its Spamkiller was supposed to run on startup, as I learned from msconfig. So I've disabled that, and otherwise, I don't really believe Mcafee still exists on my computer. Would it still be safe to run Combofix?

07-02-2009, 04:21 PM	#5 (permalink)
sjb007 Analyst, Security Team Join Date: Dec 2007 Location: Lincoln UK Posts: 2,257 OS: Windows 7 Premium x64 My System	Re: Antivirus System Pro + Other possible malware Hi there Graham Yes it will be safe to run combofix, once done post back with the resulting log __________________ If we have helped you then please consider donating Proud Member of ASAP & UNITE Since 2007

07-03-2009, 12:51 AM	#7 (permalink)
sjb007 Analyst, Security Team Join Date: Dec 2007 Location: Lincoln UK Posts: 2,257 OS: Windows 7 Premium x64 My System	Re: Antivirus System Pro + Other possible malware Hi there Close any open browsers. Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Open notepad and copy/paste the text in the quotebox below into it: Code: File:: c:\windows\system32\gdi32lib.dll c:\windows\567788.bat c:\windows\strt_1246444477.exe c:\windows\0101120101465749.dat c:\windows\bf23567.dat c:\windows\system32\SKYNET.dat Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3113c6d7-d1bf-4096-94fe-5df265ac881d}] Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply ================================================ Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. ================================================ Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner. Please note that this may take some time to complete Vista users - right click IE/Firefox icon and run as administrator Click Accept, when prompted to download and install the program files and database of malware definitions. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View scan report at the bottom. Click the Save Report As... button. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply. This animation will guide you through the process: Note To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan. Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. Post back with the Kaspersky results and the combofix log in your next reply, also keep update me on how things are running now __________________ If we have helped you then please consider donating** Proud Member of ASAP & UNITE Since 2007

07-03-2009, 12:51 PM	#9 (permalink)
sjb007 Analyst, Security Team Join Date: Dec 2007 Location: Lincoln UK Posts: 2,257 OS: Windows 7 Premium x64 My System	Re: Antivirus System Pro + Other possible malware Hi Graham Good to hear things are running better, all is looking good log wise. You can now empty out the files contained in quarantine folders by Symantec. One thing I do notice is that you are running 2 anti virus programs. (McAfee VirusScan/Symantec Endpoint Protection) Although this may seem like a sound idea to double your protection, you are actually putting your system at risk from conflicts and slowdowns as they fight for superiority. I would choose from just one from what you are running and uninstall the other. Now that you appear to be free from malware lets help you stay that way! IMPORTANT The following will uninstall combofix and implement some cleanup procedures as well as reset System Restore points: Windows XP Users: Click Start > Select Run and copy/paste the following bolded text below into the Run box and click OK: Windows Vista Users: Press the Windows key and r to brin up the run dialogue, copy and paste the text below into the run box and click OK: ComboFix /u Update windows on a regular basis - If you do not have automatic updates enabled then visit Microsoft's Update Page and update your computer from there. Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions. Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more information on firewalls read this article here Safer Browsing Use software such as Web of Trust to help you stay away from unsuspecting sites that have malicious purposes. Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects) Use an alternative browser Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser. NB: Please note that although your browser may be more secure without active x it will not throw a ring of steel around your computer. If you purposly visit sites that are dubious in nature then infection will prevail. Computer Maintenance Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis. Scan your computer regularly for malware Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy can help you stay clear. Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) and SUPERAntiSpyware- Please note that these products can also be run as *free without a licience* as a scan on demand scanner. Secure your router Change your routers default username and password, do not leave it at factory preset, doing so makes it easy for unauthorised access. Encrypt your network. Set your wireless network encryption to a minimum level of WPA-PSK [TKIP]. This will help prevent any unauthorised users "piggybacking" onto your network and stealing your bandwidth which you have rightly paid for. I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet. -> So How Did I Get Infected In First Place - By TonyKlein -> How to prevent Malware - By miekiemoes -> I'm not pulling your leg, honest - By Sandi Hardmeie Kindly respond one more time and let me know if we may consider this thread resolved. __________________ If we have helped you then please consider donating** Proud Member of ASAP & UNITE Since 2007

07-03-2009, 11:13 PM	#10 (permalink)
Grahamiamiam Registered User Join Date: Jul 2009 Posts: 6 OS: WinXP	Re: Antivirus System Pro + Other possible malware Yes, I have taken your advice and installed a more secure firewall, along with Spywareblaster, among other things. Yes, I would call this resolved. Thanks again.