trojans/malware

[robmop]

Hello volunteer helpers. I've read the '"read this before posting" and I hope I do everything right. My notebook appears to be infected with one or more problems. windows open for no reason in IE or Firefox. recordings play advertising "you've been selected...." etc when no programs are running. hijack this and other malware programs see trojans, clean them, but they seem to come back. Logs attached. Thanks for your help.

DDS.txt shown below:


DDS (Version 1.0) - NTFSx86
Run by Dell User at 21:49:50.12 on Wed 11/12/2008
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.110 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Dell User\Desktop\dds.scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.cnn.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
BHO: {2c9081fb-6817-49e3-8d06-80b6abc86da0} - c:\windows\system32\hozegupo.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton antivirus\engine\16.0.0.125\IPSBHO.DLL
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AdaptecDirectCD] "c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe"
mRun: [WG511WLU] c:\program files\netgear\wg511\utility\WG511WLU.exe -hide
mRun: [nwiz] nwiz.exe /installquiet
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\npjpi160_07.dll
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
AppInit_DLLs: c:\windows\system32\semajosu.dll c:\windows\system32\vowikiho.dll
SSODL: UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - c:\windows\system32\upnpui.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vowikiho.dll
STS: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vowikiho.dll
LSA: Notification Packages = scecli c:\windows\system32\semajosu.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1000000.07d\SYMEFA.SYS
R1 BHDrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\nav\1000000.07d\BHDrvx86.sys
R1 ccHP;Symantec Hash Provider;\??\c:\windows\system32\drivers\nav\1000000.07d\ccHPx86.sys
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20081110.001\IDSxpx86.sys
R3 AWINDIS5;AWINDIS5 Protocol Driver;\??\c:\windows\system32\AWINDIS5.SYS
R3 Ich;Ich;c:\windows\system32\drivers\Ich.sys
R3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\drivers\WG511ICB.sys
S4 hpt3xx;hpt3xx;

=============== Created Last 30 ================

2008-11-12 21:31 250 a------- c:\windows\gmer.ini
2008-11-12 20:57 95 a------- c:\windows\wininit.ini
2008-11-12 20:09 268 a---h--- C:\sqmdata04.sqm
2008-11-12 20:09 244 a---h--- C:\sqmnoopt04.sqm
2008-11-12 08:18 268 a---h--- C:\sqmdata03.sqm
2008-11-12 08:18 244 a---h--- C:\sqmnoopt03.sqm
2008-11-11 23:39 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-11 23:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-11-11 23:25 268 a---h--- C:\sqmdata02.sqm
2008-11-11 23:25 244 a---h--- C:\sqmnoopt02.sqm
2008-11-11 23:01 268 a---h--- C:\sqmdata01.sqm
2008-11-11 23:01 244 a---h--- C:\sqmnoopt01.sqm
2008-11-11 22:58 <DIR> --d--r-- c:\program files\Norton Support
2008-11-11 21:53 268 a---h--- C:\sqmdata00.sqm
2008-11-11 21:53 244 a---h--- C:\sqmnoopt00.sqm
2008-11-10 21:44 <DIR> --dsh--- C:\found.000
2008-11-09 16:04 35,888 a----r-- c:\windows\system32\drivers\SymIM.sys
2008-11-09 16:04 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-09 16:04 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2008-11-09 16:04 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-09 16:04 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-11-09 16:04 <DIR> --d----- c:\program files\Symantec
2008-11-09 16:04 <DIR> --d----- c:\program files\common files\Symantec Shared
2008-11-09 16:03 <DIR> --d----- c:\windows\system32\drivers\NAV
2008-11-09 16:03 <DIR> --d----- c:\program files\Norton AntiVirus
2008-11-09 16:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2008-11-09 16:02 <DIR> --d----- c:\program files\NortonInstaller
2008-11-09 16:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2008-11-09 16:01 <DIR> --d----- c:\documents and settings\all users\Symantec Temporary Files
2008-11-08 22:13 <DIR> --d----- c:\program files\Eusing Free Registry Cleaner
2008-11-08 13:51 17,229 a------- c:\docume~1\dellus~1\applic~1\eber.dat
2008-11-08 13:51 14,575 a------- c:\docume~1\alluse~1\applic~1\axyma.dll
2008-11-08 13:51 13,875 a------- c:\windows\ijydewijyw.com
2008-11-08 13:51 12,917 a------- c:\docume~1\dellus~1\applic~1\vocih.com
2008-11-08 13:51 10,235 a------- c:\docume~1\dellus~1\applic~1\ecurahawov.bat
2008-11-08 13:51 10,224 a------- c:\windows\aqitixyjyr.com
2008-11-08 13:51 18,673 a------- c:\windows\velefygova.lib
2008-11-08 13:51 16,308 a------- c:\windows\zodicy.inf
2008-11-08 13:51 15,443 a------- c:\windows\risur.sys
2008-11-08 13:51 12,711 a------- c:\windows\wysyfil.inf
2008-11-08 13:51 11,975 a------- c:\windows\ulefy.lib
2008-11-08 13:51 10,370 a------- c:\windows\bynarem.inf
2008-11-08 10:58 <DIR> --dsh--- c:\documents and settings\dell user\PrivacIE
2008-11-08 10:53 81,920 a------- c:\windows\system32\ieencode.dll
2008-11-07 22:27 <DIR> --d----- c:\program files\Trend Micro
2008-11-07 22:09 <DIR> --d----- c:\docume~1\dellus~1\applic~1\Malwarebytes
2008-11-07 22:09 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-07 22:09 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-07 22:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-11-07 22:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-11-02 17:27 31,744 a------- c:\windows\system32\351aT70U.exe
2008-10-23 18:36 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2008-10-18 18:19 <DIR> --d----- C:\Daddys Europe Pics
2008-10-18 14:51 <DIR> --d----- C:\Mamas Europe Pictures
2008-10-17 18:32 333,824 -c------ c:\windows\system32\dllcache\srv.sys
2008-10-17 18:32 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys
2008-10-17 18:32 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-17 18:32 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-17 18:32 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-17 18:32 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe

==================== Find3M ====================

2008-11-12 07:09 92,212 a--sh--- c:\windows\system32\zowirewa.dll
2008-11-10 20:47 <DIR> --d----- c:\program files\PokerStars
2008-11-06 20:48 <DIR> --d----- c:\program files\TMG
2008-11-06 20:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2008-09-26 20:30 <DIR> --d----- c:\docume~1\dellus~1\applic~1\LimeWire
2008-09-21 08:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lavasoft
2008-09-21 08:22 <DIR> --d----- c:\program files\Lavasoft
2008-09-21 08:20 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-09-21 08:15 <DIR> --d----- c:\docume~1\dellus~1\applic~1\Move Networks
2008-09-20 23:43 <DIR> --d----- c:\program files\MSN Messenger
2008-09-20 23:36 <DIR> --d----- c:\program files\Messenger
2008-09-20 23:33 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-09-20 23:26 <DIR> --d----- c:\program files\Windows NT
2008-09-15 07:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-08-20 00:30 666,112 a------- c:\windows\system32\wininet.dll
2008-07-08 17:16 <DIR> --d----- c:\docume~1\dellus~1\applic~1\Snapfish
2007-02-18 21:51 <DIR> --d----- c:\docume~1\dellus~1\applic~1\Viewpoint
2006-12-24 16:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kodak
2008-08-07 21:13 60,928 a--sh--- c:\windows\system32\semajosu.dll

============= FINISH: 21:50:36.97 ===============

[Angelfire777]

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[robmop]

Combo fix results:

ComboFix 08-11-12.01 - Dell User 2008-11-13 22:39:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.83 [GMT -5:00]
Running from: c:\documents and settings\Dell User\Desktop\ComboFix.exe
* Created a new restore point
.
The following files were disabled during the run:
c:\windows\system32\semajosu.dll
c:\windows\system32\yanohide.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bold.log
c:\documents and settings\Dell User\Local Settings\Temporary Internet Files\delesa.dat
c:\documents and settings\Dell User\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Dell User\Local Settings\Temporary Internet Files\ifosotyz.com
c:\documents and settings\Dell User\Local Settings\Temporary Internet Files\onutepu.reg
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-10-14 to 2008-11-14 )))))))))))))))))))))))))))))))
.

2008-11-13 18:26 . 2008-11-13 18:26 268 --ah----- C:\sqmdata08.sqm
2008-11-13 18:26 . 2008-11-13 18:26 244 --ah----- C:\sqmnoopt08.sqm
2008-11-13 18:15 . 2008-11-13 18:15 120 ---hs---- c:\windows\system32\ehepabep.ini
2008-11-13 00:43 . 2008-11-13 00:43 268 --ah----- C:\sqmdata07.sqm
2008-11-13 00:43 . 2008-11-13 00:43 244 --ah----- C:\sqmnoopt07.sqm
2008-11-12 22:32 . 2008-11-12 22:32 268 --ah----- C:\sqmdata06.sqm
2008-11-12 22:32 . 2008-11-12 22:32 244 --ah----- C:\sqmnoopt06.sqm
2008-11-12 22:28 . 2008-11-12 22:28 268 --ah----- C:\sqmdata05.sqm
2008-11-12 22:28 . 2008-11-12 22:28 244 --ah----- C:\sqmnoopt05.sqm
2008-11-12 21:31 . 2008-11-12 21:35 250 --a------ c:\windows\gmer.ini
2008-11-12 20:57 . 2008-11-12 20:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-12 20:57 . 2008-11-12 20:57 95 --a------ c:\windows\wininit.ini
2008-11-12 20:11 . 2008-11-12 20:11 <DIR> d-------- c:\documents and settings\Administrator
2008-11-12 20:09 . 2008-11-12 20:09 268 --ah----- C:\sqmdata04.sqm
2008-11-12 20:09 . 2008-11-12 20:09 244 --ah----- C:\sqmnoopt04.sqm
2008-11-12 08:18 . 2008-11-12 08:18 268 --ah----- C:\sqmdata03.sqm
2008-11-12 08:18 . 2008-11-12 08:18 244 --ah----- C:\sqmnoopt03.sqm
2008-11-11 23:39 . 2008-11-11 23:43 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-11 23:39 . 2008-11-12 08:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-11 23:25 . 2008-11-11 23:25 268 --ah----- C:\sqmdata02.sqm
2008-11-11 23:25 . 2008-11-11 23:25 244 --ah----- C:\sqmnoopt02.sqm
2008-11-11 23:01 . 2008-11-11 23:01 268 --ah----- C:\sqmdata01.sqm
2008-11-11 23:01 . 2008-11-11 23:01 244 --ah----- C:\sqmnoopt01.sqm
2008-11-11 22:58 . 2008-11-13 18:24 <DIR> dr------- c:\program files\Norton Support
2008-11-11 21:53 . 2008-11-11 21:53 268 --ah----- C:\sqmdata00.sqm
2008-11-11 21:53 . 2008-11-11 21:53 244 --ah----- C:\sqmnoopt00.sqm
2008-11-10 21:44 . 2008-11-10 21:44 <DIR> d--hs---- C:\found.000
2008-11-09 16:04 . 2008-11-09 16:04 <DIR> d-------- c:\program files\Symantec
2008-11-09 16:04 . 2008-11-09 16:07 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2008-11-09 16:04 . 2008-11-09 16:04 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-09 16:04 . 2008-11-09 16:04 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2008-11-09 16:04 . 2008-11-09 16:04 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys
2008-11-09 16:04 . 2008-11-09 16:04 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-09 16:04 . 2008-11-09 16:04 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-11-09 16:03 . 2008-11-09 16:03 <DIR> d-------- c:\windows\system32\drivers\NAV
2008-11-09 16:03 . 2008-11-09 16:03 <DIR> d-------- c:\program files\Windows Sidebar
2008-11-09 16:03 . 2008-11-09 16:03 <DIR> d-------- c:\program files\Norton AntiVirus
2008-11-09 16:02 . 2008-11-09 16:02 <DIR> d-------- c:\program files\NortonInstaller
2008-11-09 16:02 . 2008-11-09 16:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-11-09 16:02 . 2008-11-09 16:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2008-11-09 16:01 . 2008-11-09 16:01 <DIR> d-------- c:\documents and settings\All Users\Symantec Temporary Files
2008-11-08 22:13 . 2008-11-08 22:13 <DIR> d-------- c:\program files\Eusing Free Registry Cleaner
2008-11-08 13:51 . 2008-11-08 13:51 18,673 --a------ c:\windows\velefygova.lib
2008-11-08 13:51 . 2008-11-08 13:51 17,229 --a------ c:\documents and settings\Dell User\Application Data\eber.dat
2008-11-08 13:51 . 2008-11-08 13:51 16,308 --a------ c:\windows\zodicy.inf
2008-11-08 13:51 . 2008-11-08 13:51 15,443 --a------ c:\windows\risur.sys
2008-11-08 13:51 . 2008-11-08 13:51 14,575 --a------ c:\documents and settings\All Users\Application Data\axyma.dll
2008-11-08 13:51 . 2008-11-08 13:51 13,875 --a------ c:\windows\ijydewijyw.com
2008-11-08 13:51 . 2008-11-08 13:51 12,917 --a------ c:\documents and settings\Dell User\Application Data\vocih.com
2008-11-08 13:51 . 2008-11-08 13:51 12,711 --a------ c:\windows\wysyfil.inf
2008-11-08 13:51 . 2008-11-08 13:51 11,975 --a------ c:\windows\ulefy.lib
2008-11-08 13:51 . 2008-11-08 13:51 10,370 --a------ c:\windows\bynarem.inf
2008-11-08 13:51 . 2008-11-08 13:51 10,235 --a------ c:\documents and settings\Dell User\Application Data\ecurahawov.bat
2008-11-08 13:51 . 2008-11-08 13:51 10,224 --a------ c:\windows\aqitixyjyr.com
2008-11-08 11:05 . 2008-11-08 11:05 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-11-08 10:58 . 2008-11-08 10:58 <DIR> d--hs---- c:\documents and settings\Dell User\PrivacIE
2008-11-08 10:53 . 2008-04-13 19:11 81,920 --a------ c:\windows\system32\ieencode.dll
2008-11-07 22:27 . 2008-11-07 22:27 <DIR> d-------- c:\program files\Trend Micro
2008-11-07 22:09 . 2008-11-07 22:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-07 22:09 . 2008-11-07 22:09 <DIR> d-------- c:\documents and settings\Dell User\Application Data\Malwarebytes
2008-11-07 22:09 . 2008-11-07 22:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-07 22:09 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-07 22:09 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-02 17:27 . 2008-11-02 17:26 31,744 --a------ c:\windows\system32\351aT70U.exe
2008-10-23 18:36 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-18 18:19 . 2008-10-18 19:55 <DIR> d-------- C:\Daddys Europe Pics
2008-10-18 14:51 . 2008-10-18 16:25 <DIR> d-------- C:\Mamas Europe Pictures
2008-10-17 18:32 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-17 18:32 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-17 18:32 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-17 18:32 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-17 18:32 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-17 18:32 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-13 23:15 92,724 ----a-w c:\windows\system32\yanohide.dll.vir
2008-11-13 23:15 85,044 --sha-w c:\windows\system32\pebapehe.dll
2008-11-12 12:09 92,212 --sha-w c:\windows\system32\zowirewa.dll
2008-11-11 01:47 --------- d-----w c:\program files\PokerStars
2008-11-08 18:51 17,060 ----a-w c:\program files\Common Files\ikaf.db
2008-11-08 18:51 13,223 ----a-w c:\program files\Common Files\agylob._sy
2008-11-08 15:34 --------- d-----w c:\program files\Google
2008-11-07 01:48 --------- d-----w c:\program files\TMG
2008-11-07 01:48 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-09-27 01:30 --------- d-----w c:\documents and settings\Dell User\Application Data\LimeWire
2008-09-21 13:24 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-09-21 13:22 --------- d-----w c:\program files\Lavasoft
2008-09-21 13:22 --------- d-----w c:\documents and settings\Dell User\Application Data\Lavasoft
2008-09-21 13:20 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-09-21 13:15 --------- d-----w c:\documents and settings\Dell User\Application Data\Move Networks
2008-09-21 04:43 --------- d-----w c:\program files\MSN Messenger
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
2008-11-09 13:30 522224 --a------ c:\program files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-06-24 4800512]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 655360]
"WG511WLU"="c:\program files\NETGEAR\WG511\Utility\WG511WLU.exe" [2004-11-09 475136]
"nwiz"="nwiz.exe" [2003-06-24 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-12 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\logonui.exe"=
"c:\\WINDOWS\\system32\\winlogon.exe"=
"c:\\WINDOWS\\system32\\lsass.exe"=
"c:\\WINDOWS\\system32\\services.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1000000.07D\SYMEFA.SYS [2008-11-09 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1000000.07D\BHDrvx86.sys [2008-11-09 254512]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1000000.07D\ccHPx86.sys [2008-11-09 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081110.001\IDSxpx86.sys [2008-11-09 274808]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe /s Norton AntiVirus /m c:\program files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll [ ]
R3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2002-04-11 16194]
R3 Ich;Ich;c:\windows\system32\DRIVERS\Ich.sys [2002-01-13 65916]
R3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\DRIVERS\WG511ICB.sys [2005-02-16 352256]
.
Contents of the 'Scheduled Tasks' folder

2008-11-12 c:\windows\Tasks\At1.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-12 c:\windows\Tasks\At10.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-08 c:\windows\Tasks\At11.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-08 c:\windows\Tasks\At12.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-02 c:\windows\Tasks\At13.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-09 c:\windows\Tasks\At14.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-09 c:\windows\Tasks\At15.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-09 c:\windows\Tasks\At16.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-09 c:\windows\Tasks\At17.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-09 c:\windows\Tasks\At18.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-09 c:\windows\Tasks\At19.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-12 c:\windows\Tasks\At2.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-10 c:\windows\Tasks\At20.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-12 c:\windows\Tasks\At21.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-12 c:\windows\Tasks\At22.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-13 c:\windows\Tasks\At23.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-13 c:\windows\Tasks\At24.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-12 c:\windows\Tasks\At3.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-12 c:\windows\Tasks\At4.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-12 c:\windows\Tasks\At5.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-12 c:\windows\Tasks\At6.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-12 c:\windows\Tasks\At7.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-12 c:\windows\Tasks\At8.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-12 c:\windows\Tasks\At9.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2c9081fb-6817-49e3-8d06-80b6abc86da0} - c:\windows\system32\hozegupo.dll
SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yanohide.dll
SSODL-SSODL-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yanohide.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Dell User\Application Data\Mozilla\Firefox\Profiles\5dmyrmy4.default\
FF -: plugin - c:\program files\Adobe\Acrobat 6.0\Acrobat\browser\nppdf32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-13 22:45:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\wuauclt.exe.wusetup.300962.bak 53448 bytes executable
c:\windows\system32\wuaueng.dll.wusetup.307211.bak 1811656 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-13 22:52:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-14 03:52:09

Pre-Run: 2,727,362,560 bytes free
Post-Run: 2,809,360,384 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

264 --- E O F --- 2008-10-24 00:03:19

[Angelfire777]

Hi,

Did you set your computer to always use classic theme?

go to control panel > add or remove programs then uninstall this entry if it is still there: Antivirus Pro 2009.

*Open notepad.
Copy and paste the text inside the code box below to notepad

Code:

File::
c:\windows\system32\ehepabep.ini
c:\Windows\velefygova.lib
c:\documents and settings\Dell User\Application Data\eber.dat
c:\Windows\zodicy.inf
c:\Windows\risur.sys
c:\documents and settings\All Users\Application Data\axyma.dll
c:\Windows\ijydewijyw.com
c:\documents and settings\Dell User\Application Data\vocih.com
c:\Windows\wysyfil.inf
c:\Windows\ulefy.lib
c:\Windows\bynarem.inf
c:\documents and settings\Dell User\Application Data\ecurahawov.bat
c:\Windows\aqitixyjyr.com
c:\windows\system32\351aT70U.exe
c:\windows\system32\yanohide.dll.vir
c:\windows\system32\pebapehe.dll
c:\windows\system32\zowirewa.dll
c:\windows\system32\semajosu.dll
c:\windows\system32\yanohide.dll
c:\program files\Common Files\ikaf.db
c:\program files\Common Files\agylob._sy
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
Folder::
c:\documents and settings\All Users\Application Data\Viewpoint
c:\documents and settings\Dell User\Application Data\LimeWire
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\winlogon.exe"=-
"c:\\WINDOWS\\system32\\lsass.exe"=-
"c:\\WINDOWS\\system32\\services.exe"=-
"c:\\WINDOWS\\system32\\spoolsv.exe"=-

• Save and Name it as "CFScript"
• Drag and drop CFScript.txt to your copy of combofix.
• You can take a look at the image below if you're unsure on how to do it.
  
• Combofix wil restart your machine then it will produce a log afterwards.
• Please post the contents of that log

__________

Your Java is out of date....
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.

• Click Start > Control Panel
• Click Add/Remove Programs
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove button.
• Repeat as many times as necessary to remove all versions of Java.
• Reboot your computer once all Java components are removed.

Then download Java Runtime Environment 6u10, and install it to your computer.

• Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
• On the General tab, under Temporary Internet Files, click the Settings button.
• Next, click on the Delete Files button
• There are two options in the window to clear the cache - Leave BOTH Checked
  • Applications and Applets
    Trace and Log Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Temporary Files Window
• Click OK to leave the Java Control Panel.

___________

Please run this online scan to help look for remnants.

First, Go to Start>Control Panel>Add/Remove Programs and remove Kaspersky online scanner if present prior to downloading the most up-to-date one.

Next, establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

On your next reply, please include a

• kaspersky scan log
• combofix log

[robmop]

I may have set to classic theme.

No Antivirus Pro 2009 was shown in programs.

Kapersky and Combofix logs below:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, November 15, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, November 14, 2008 20:14:58
Records in database: 1385149
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 49091
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:19:32


File name / Threat name / Threats count
C:\Documents and Settings\Dell User\Shared\Madonna - Hollywood (Remix).wma Infected: Trojan-Downloader.WMA.GetCodec.a 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pebapehe.dll.vir Infected: Trojan.Win32.Agent.andb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yanohide.dll.vir Infected: Trojan-Spy.Win32.Agent.evp 1

The selected area was scanned.






ComboFix 08-11-12.02 - Dell User 2008-11-14 1955.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.76 [GMT -5:00]
Running from: c:\documents and settings\Dell User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dell User\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\All Users\Application Data\axyma.dll
c:\documents and settings\Dell User\Application Data\eber.dat
c:\documents and settings\Dell User\Application Data\ecurahawov.bat
c:\documents and settings\Dell User\Application Data\vocih.com
c:\program files\Common Files\agylob._sy
c:\program files\Common Files\ikaf.db
c:\windows\aqitixyjyr.com
c:\windows\bynarem.inf
c:\windows\ijydewijyw.com
c:\windows\risur.sys
c:\windows\system32\351aT70U.exe
c:\windows\system32\ehepabep.ini
c:\windows\system32\pebapehe.dll
c:\windows\system32\semajosu.dll
c:\windows\system32\yanohide.dll
c:\windows\system32\yanohide.dll.vir
c:\windows\system32\zowirewa.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\ulefy.lib
c:\windows\velefygova.lib
c:\windows\wysyfil.inf
c:\windows\zodicy.inf
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\axyma.dll
c:\documents and settings\All Users\Application Data\Viewpoint
c:\documents and settings\Dell User\Application Data\eber.dat
c:\documents and settings\Dell User\Application Data\ecurahawov.bat
c:\documents and settings\Dell User\Application Data\LimeWire
c:\documents and settings\Dell User\Application Data\LimeWire\.NetworkShare\LimeWireWin4.16.6.exe
c:\documents and settings\Dell User\Application Data\LimeWire\414splashfree.png
c:\documents and settings\Dell User\Application Data\LimeWire\active.mojito
c:\documents and settings\Dell User\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Dell User\Application Data\LimeWire\fileurns.bak
c:\documents and settings\Dell User\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Dell User\Application Data\LimeWire\filters.props
c:\documents and settings\Dell User\Application Data\LimeWire\gnutella.net
c:\documents and settings\Dell User\Application Data\LimeWire\installation.props
c:\documents and settings\Dell User\Application Data\LimeWire\library.dat
c:\documents and settings\Dell User\Application Data\LimeWire\limewire.props
c:\documents and settings\Dell User\Application Data\LimeWire\mojito.props
c:\documents and settings\Dell User\Application Data\LimeWire\questions.props
c:\documents and settings\Dell User\Application Data\LimeWire\responses.cache
c:\documents and settings\Dell User\Application Data\LimeWire\simpp.xml
c:\documents and settings\Dell User\Application Data\LimeWire\spam.dat
c:\documents and settings\Dell User\Application Data\LimeWire\tables.props
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\logo.png
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\notsearching.png
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\searching.gif
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\splash.png
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\splashpro.png
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\Dell User\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\Dell User\Application Data\LimeWire\ttree.cache
c:\documents and settings\Dell User\Application Data\LimeWire\ttrees.cache
c:\documents and settings\Dell User\Application Data\LimeWire\ttroot.cache
c:\documents and settings\Dell User\Application Data\LimeWire\version.xml
c:\documents and settings\Dell User\Application Data\LimeWire\xml\data\audio.sxml
c:\documents and settings\Dell User\Application Data\LimeWire\xml\data\delete_me
c:\documents and settings\Dell User\Application Data\LimeWire\xml\misc\application.gif
c:\documents and settings\Dell User\Application Data\LimeWire\xml\misc\audio.gif
c:\documents and settings\Dell User\Application Data\LimeWire\xml\misc\document.gif
c:\documents and settings\Dell User\Application Data\LimeWire\xml\misc\image.gif
c:\documents and settings\Dell User\Application Data\LimeWire\xml\misc\video.gif
c:\documents and settings\Dell User\Application Data\LimeWire\xml\schemas\application.xsd
c:\documents and settings\Dell User\Application Data\LimeWire\xml\schemas\audio.xsd
c:\documents and settings\Dell User\Application Data\LimeWire\xml\schemas\document.xsd
c:\documents and settings\Dell User\Application Data\LimeWire\xml\schemas\image.xsd
c:\documents and settings\Dell User\Application Data\LimeWire\xml\schemas\video.xsd
c:\documents and settings\Dell User\Application Data\vocih.com
c:\program files\Common Files\agylob._sy
c:\program files\Common Files\ikaf.db
c:\windows\aqitixyjyr.com
c:\windows\bynarem.inf
c:\windows\ijydewijyw.com
c:\windows\risur.sys
c:\windows\system32\351aT70U.exe
c:\windows\system32\ehepabep.ini
c:\windows\system32\pebapehe.dll
c:\windows\system32\semajosu.dll
c:\windows\system32\yanohide.dll
c:\windows\system32\zowirewa.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\ulefy.lib
c:\windows\velefygova.lib
c:\windows\wysyfil.inf
c:\windows\zodicy.inf

.
((((((((((((((((((((((((( Files Created from 2008-10-15 to 2008-11-15 )))))))))))))))))))))))))))))))
.

2008-11-14 00:32 . 2008-11-14 00:32 268 --ah----- C:\sqmdata14.sqm
2008-11-14 00:32 . 2008-11-14 00:32 244 --ah----- C:\sqmnoopt13.sqm
2008-11-13 23:13 . 2008-11-13 23:13 268 --ah----- C:\sqmdata10.sqm
2008-11-13 23:13 . 2008-11-13 23:13 244 --ah----- C:\sqmnoopt10.sqm
2008-11-13 23:09 . 2008-11-13 23:09 268 --ah----- C:\sqmdata09.sqm
2008-11-13 23:09 . 2008-11-13 23:09 244 --ah----- C:\sqmnoopt09.sqm
2008-11-13 22:53 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-13 22:53 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-13 18:26 . 2008-11-13 18:26 268 --ah----- C:\sqmdata08.sqm
2008-11-13 18:26 . 2008-11-13 18:26 244 --ah----- C:\sqmnoopt08.sqm
2008-11-13 00:43 . 2008-11-13 00:43 268 --ah----- C:\sqmdata07.sqm
2008-11-13 00:43 . 2008-11-13 00:43 244 --ah----- C:\sqmnoopt07.sqm
2008-11-12 22:32 . 2008-11-12 22:32 268 --ah----- C:\sqmdata06.sqm
2008-11-12 22:32 . 2008-11-12 22:32 244 --ah----- C:\sqmnoopt06.sqm
2008-11-12 22:28 . 2008-11-12 22:28 268 --ah----- C:\sqmdata05.sqm
2008-11-12 22:28 . 2008-11-12 22:28 244 --ah----- C:\sqmnoopt05.sqm
2008-11-12 21:31 . 2008-11-12 21:35 250 --a------ c:\windows\gmer.ini
2008-11-12 20:57 . 2008-11-12 20:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-12 20:57 . 2008-11-12 20:57 95 --a------ c:\windows\wininit.ini
2008-11-12 20:11 . 2008-11-12 20:11 <DIR> d-------- c:\documents and settings\Administrator
2008-11-12 20:09 . 2008-11-12 20:09 268 --ah----- C:\sqmdata04.sqm
2008-11-12 20:09 . 2008-11-12 20:09 244 --ah----- C:\sqmnoopt04.sqm
2008-11-12 08:18 . 2008-11-12 08:18 268 --ah----- C:\sqmdata03.sqm
2008-11-12 08:18 . 2008-11-12 08:18 244 --ah----- C:\sqmnoopt03.sqm
2008-11-11 23:39 . 2008-11-11 23:43 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-11 23:39 . 2008-11-12 08:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-11 23:25 . 2008-11-11 23:25 268 --ah----- C:\sqmdata02.sqm
2008-11-11 23:25 . 2008-11-11 23:25 244 --ah----- C:\sqmnoopt02.sqm
2008-11-11 23:01 . 2008-11-11 23:01 268 --ah----- C:\sqmdata01.sqm
2008-11-11 23:01 . 2008-11-11 23:01 244 --ah----- C:\sqmnoopt01.sqm
2008-11-11 22:58 . 2008-11-13 22:54 <DIR> dr------- c:\program files\Norton Support
2008-11-11 21:53 . 2008-11-11 21:53 268 --ah----- C:\sqmdata00.sqm
2008-11-11 21:53 . 2008-11-11 21:53 244 --ah----- C:\sqmnoopt00.sqm
2008-11-10 21:44 . 2008-11-10 21:44 <DIR> d--hs---- C:\found.000
2008-11-09 16:04 . 2008-11-09 16:04 <DIR> d-------- c:\program files\Symantec
2008-11-09 16:04 . 2008-11-09 16:07 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2008-11-09 16:04 . 2008-11-09 16:04 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-09 16:04 . 2008-11-09 16:04 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2008-11-09 16:04 . 2008-11-09 16:04 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys
2008-11-09 16:04 . 2008-11-09 16:04 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-09 16:04 . 2008-11-09 16:04 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-11-09 16:03 . 2008-11-09 16:03 <DIR> d-------- c:\windows\system32\drivers\NAV
2008-11-09 16:03 . 2008-11-09 16:03 <DIR> d-------- c:\program files\Windows Sidebar
2008-11-09 16:03 . 2008-11-09 16:03 <DIR> d-------- c:\program files\Norton AntiVirus
2008-11-09 16:02 . 2008-11-09 16:02 <DIR> d-------- c:\program files\NortonInstaller
2008-11-09 16:02 . 2008-11-09 16:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-11-09 16:02 . 2008-11-09 16:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2008-11-09 16:01 . 2008-11-09 16:01 <DIR> d-------- c:\documents and settings\All Users\Symantec Temporary Files
2008-11-08 22:13 . 2008-11-08 22:13 <DIR> d-------- c:\program files\Eusing Free Registry Cleaner
2008-11-08 11:05 . 2008-11-08 11:05 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-11-08 10:58 . 2008-11-08 10:58 <DIR> d--hs---- c:\documents and settings\Dell User\PrivacIE
2008-11-08 10:53 . 2008-04-13 19:11 81,920 --a------ c:\windows\system32\ieencode.dll
2008-11-07 22:27 . 2008-11-07 22:27 <DIR> d-------- c:\program files\Trend Micro
2008-11-07 22:09 . 2008-11-07 22:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-07 22:09 . 2008-11-07 22:09 <DIR> d-------- c:\documents and settings\Dell User\Application Data\Malwarebytes
2008-11-07 22:09 . 2008-11-07 22:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-07 22:09 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-07 22:09 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-23 18:36 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-18 18:19 . 2008-10-18 19:55 <DIR> d-------- C:\Daddys Europe Pics
2008-10-18 14:51 . 2008-10-18 16:25 <DIR> d-------- C:\Mamas Europe Pictures
2008-10-17 18:32 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-17 18:32 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-17 18:32 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-17 18:32 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-17 18:32 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-17 18:32 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 01:47 --------- d-----w c:\program files\PokerStars
2008-11-08 15:34 --------- d-----w c:\program files\Google
2008-11-07 01:48 --------- d-----w c:\program files\TMG
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-21 13:24 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-09-21 13:22 --------- d-----w c:\program files\Lavasoft
2008-09-21 13:22 --------- d-----w c:\documents and settings\Dell User\Application Data\Lavasoft
2008-09-21 13:20 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-09-21 13:15 --------- d-----w c:\documents and settings\Dell User\Application Data\Move Networks
2008-09-21 04:43 --------- d-----w c:\program files\MSN Messenger
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-11-13_22.51.12.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-24 11:21:09 455,296 ------w c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-11-14 04:13:33 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
- 2008-07-19 02:10:48 94,920 -c--a-w c:\windows\system32\dllcache\cdm.dll
+ 2008-10-16 19:09:44 92,696 -c--a-w c:\windows\system32\dllcache\cdm.dll
- 2008-04-14 00:12:01 1,306,624 -c----w c:\windows\system32\dllcache\msxml6.dll
+ 2008-09-10 01:14:56 1,307,648 -c----w c:\windows\system32\dllcache\msxml6.dll
- 2008-07-19 02:09:44 563,912 -c--a-w c:\windows\system32\dllcache\wuapi.dll
+ 2008-10-16 19:12:20 561,688 -c--a-w c:\windows\system32\dllcache\wuapi.dll
- 2008-07-19 02:10:42 53,448 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
+ 2008-10-16 19:09:44 51,224 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
- 2008-07-19 02:09:42 1,811,656 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-16 19:13:40 1,809,944 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
- 2008-07-19 02:09:46 325,832 -c--a-w c:\windows\system32\dllcache\wucltui.dll
+ 2008-10-16 19:12:22 323,608 -c--a-w c:\windows\system32\dllcache\wucltui.dll
- 2008-07-19 02:10:20 36,552 -c--a-w c:\windows\system32\dllcache\wups.dll
+ 2008-10-16 19:08:58 34,328 -c--a-w c:\windows\system32\dllcache\wups.dll
- 2008-07-19 02:09:44 205,000 -c--a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-10-16 19:13:40 202,776 -c--a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-11-03 21:10:26 17,318,336 ----a-w c:\windows\system32\MRT.exe
- 2008-11-14 03:28:45 40,394 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-15 00:01:22 40,394 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-14 03:28:45 312,172 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-15 00:01:22 312,172 ----a-w c:\windows\system32\perfh009.dat
+ 2008-10-16 19:08:58 34,328 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 19:09:44 43,544 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
+ 2008-11-14 23:59:16 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_264.dat
+ 2008-09-30 21:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-09-30 21:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
2008-11-09 13:30 522224 --a------ c:\program files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-06-24 4800512]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 655360]
"WG511WLU"="c:\program files\NETGEAR\WG511\Utility\WG511WLU.exe" [2004-11-09 475136]
"nwiz"="nwiz.exe" [2003-06-24 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-12 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\logonui.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1000000.07D\SYMEFA.SYS [2008-11-09 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1000000.07D\BHDrvx86.sys [2008-11-09 254512]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1000000.07D\ccHPx86.sys [2008-11-09 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081110.001\IDSxpx86.sys [2008-11-09 274808]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe /s Norton AntiVirus /m c:\program files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll [ ]
R3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2002-04-11 16194]
R3 Ich;Ich;c:\windows\system32\DRIVERS\Ich.sys [2002-01-13 65916]
R3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\DRIVERS\WG511ICB.sys [2005-02-16 352256]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-14 19:10:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
Completion time: 2008-11-14 19:13:30
ComboFix-quarantined-files.txt 2008-11-15 00:13:25
ComboFix2.txt 2008-11-14 03:52:22

Pre-Run: 2,751,168,512 bytes free
Post-Run: 2,733,965,312 bytes free

348 --- E O F --- 2008-11-14 04:16:46

[Angelfire777]

Hi,

Delete the following file using windows explorer:

C:\Documents and Settings\Dell User\Shared\Madonna - Hollywood (Remix).wma

how is your computer running?

[robmop]

Not good.

Everytime I shut down or reboot I get

"Program not responding - End Program" for these two:

1. ccSvcHst
2. AutoComplete

Also I ran spybot search and destroy and it found 1 Trojan C and 5 other entries:

Virtumonde
Zedo
MediaPlex
Doubleclick
Bluestreak and
AdRevolver

Finally, Norton Antivirus will not start

Robmop

[Angelfire777]

Hi,

Can you try reinstalling Norton?

As for those items found by spybot, it's not unusual because you had a lot of infections. Most of them are adware, most probably registry entries.

let me know how it works out.

[robmop]

The machine seems pretty stable now.

However, I do note that it takes quite a bit longer for it to go thorugh its start-up routine after re-boot or start from scratch, than it did prior to the problems.

I have added Norton antivirus and spybot during the problem time, so perhaps it is just loading those additional programs at start-up now.

Thanks for your help.

Was it simply the one infected file? or were there muptiple problems?

Thanks again

[Angelfire777]

Hi,

Quote:

However, I do note that it takes quite a bit longer for it to go thorugh its start-up routine after re-boot or start from scratch, than it did prior to the problems.

Quote:

I have added Norton antivirus and spybot during the problem time

Your logs show that you only have 256MB of RAM is that correct? Norton is a resource eater and no doubt, it's the cause of your startup slowdown.

I'm not exaggerating but for you to run Norton without any visible performance reduction, you should have at least 512MB - 1G of RAM.

If it's okay for you to buy a good and fast antivirus, please consider Eset's Nod32. For a free one, I suggest Antivir.

Quote:

Was it simply the one infected file? or were there muptiple problems?

You had quite a few infections.


If you don't have any questions anymore,


Click start > run > copy and paste:

combofix /u

That will hide your system files, clear your system restore cache and uninstall combofix.


Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

And miekiemoes' "How to Prevent Malware"

Happy safe surfing!

Note: Please reply to this thread one last time so I could mark it as resolved.

[robmop]

Doesn't suprise me about the small amount of RAM. This is an old machine.

Thank you very much for helping me resolve this.

You folks are great!