Ntoskrnl hook

[cheeksyoung]

Hello,

I recently began having trouble with popups at start. The popups are in the form of an error message that says google installer has encountered a problem and needs to close. I don't believe I have ever used google installer, so this was curious. Leaving the computer running, multiple versions of the same popup began piling up on top of one another in the center of the screen.

Running VirusScan found NTOSKRNL HOOK, but even though it says it deleted and cleaned it, the problem is always back at start and VirusScan finds it again.

I was able to run DDS and have included the log and attachment, but when I attempted to run GMER.exe, the computer responded with an error: "GMER.exe has encountered a problem and needs to close." This happened every time I tried.

Thanks in advance for any help.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Scott at 8:11:17.51 on Mon 02/23/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2550.1742 [GMT -5:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Synergy\synergys.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\Scott\Application Data\U3\0000184DA860BD28\LaunchPad.exe
M:\dds.pif

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {df5d1cba-6ef8-8d2b-54f4-8d35d0101b76}: {67b1010d-53d8-4f45-b2d8-8fe6abc1d5fd} - c:\windows\system32\dcgmjp.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Ript: {91d9091b-2046-42f7-903e-1215a29e21ea} - c:\program files\ript\mscoree.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [TivoTransfer] "c:\program files\common files\tivo shared\transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
uRun: [TivoNotify] "c:\program files\tivo\desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
uRun: [TivoServer] "c:\program files\tivo\desktop\TiVoServer.exe" /service /registry /auto:TivoServer
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AdobeVersionCue] c:\program files\adobe\adobe version cue\controlpanel\VersionCueTray.exe
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HPHUPD05] c:\program files\hewlett-packard\\{5372b9a6-6e51-4f90-9b40-e0a3b8475c4e}\hphupd05.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Dell Photo AIO Printer 922] "c:\program files\dell photo aio printer 922\dlbtbmgr.exe"
mRun: [DLBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBTtime.dll,_RunDLLEntry@16
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [04ac0a0a] rundll32.exe "c:\windows\system32\hlyjlhtl.dll",b
StartupFolder: c:\docume~1\scott\startm~1\programs\startup\memoni~1.lnk - c:\program files\verizon wireless\v cast music manager\MEMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\adobe acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microt~1.lnk - c:\program files\microtek\scanwizard 5\ScannerFinder.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200968057663
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: blvpnm.dll pfyilv.dll dcgmjp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\urqropQJ

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\scott\applic~1\mozilla\firefox\profiles\irtzu0af.cheeksyoung 27\
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-5-22 31816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-12-29 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2008-5-22 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2008-5-22 54608]
R2 Synergy Server;Synergy Server;c:\program files\synergy\synergys.exe [2006-4-2 733184]
R2 TivoBeacon2;TiVo Beacon;c:\program files\common files\tivo shared\beacon\TiVoBeacon.exe [2008-7-9 868864]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-12-29 72936]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-12-29 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-12-29 174952]
S2 gupdate1c986f5d914ebca;Google Update Service (gupdate1c986f5d914ebca);c:\program files\google\update\GoogleUpdate.exe [2009-2-4 133104]
S4 Aspprorr;Aspprorr; [x]

=============== Created Last 30 ================

2009-02-22 07:07 1,608,156 ---sh--- c:\windows\system32\lthljylh.ini
2009-02-21 07:08 129,024 a------- c:\windows\system32\dcgmjp.dll
2009-02-21 07:08 129,024 a------- c:\windows\system32\mawpugmp.dll
2009-02-21 07:06 72,704 a------- c:\windows\system32\hlyjlhtl.dll
2009-02-20 13:28 512 a------- c:\windows\randseed.rnd
2009-02-20 11:01 129,024 a------- c:\windows\system32\xhjzfb.dll
2009-02-20 11:01 129,024 a------- c:\windows\system32\iybmtgil.dll
2009-02-20 10:58 72,704 -------- c:\windows\system32\bhaekpkd.dll
2009-02-17 17:22 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-17 17:22 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-17 17:22 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-17 17:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-17 13:53 143 a------- c:\windows\system32\mcrh.tmp
2009-02-16 00:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CrucialSoft Ltd
2009-02-14 12:02 2,981 a--sh--- c:\windows\system32\JQporqru.ini2
2009-02-14 12:02 2,981 a--sh--- c:\windows\system32\JQporqru.ini
2009-02-13 16:35 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-02-13 16:26 <DIR> --d----- c:\program files\TiVo
2009-02-13 16:26 <DIR> --d----- c:\program files\common files\TiVo Shared
2009-02-13 16:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TiVo
2009-02-13 16:25 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-26 12:58 <DIR> --d----- c:\program files\Aimersoft
2009-01-26 12:55 2,255,360 a------- c:\windows\system32\libavcodec.dll
2009-01-26 12:55 1,761,280 a------- c:\windows\system32\ffdshow.ax
2009-01-26 12:55 395,776 a------- c:\windows\system32\libmplayer.dll
2009-01-26 12:55 262,144 a------- c:\windows\system32\TomsMoComp_ff.dll
2009-01-26 12:55 172,032 a------- c:\windows\system32\ac3filter.ax
2009-01-26 12:55 112,640 a------- c:\windows\system32\libmpeg2_ff.dll
2009-01-26 12:54 <DIR> --d----- c:\program files\Cucusoft
2009-01-26 12:46 <DIR> --d----- c:\program files\DirectShow Dump

==================== Find3M ====================

2009-01-15 18:44 2,204 a------- c:\windows\system32\TDSSlxwp.dll
2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-02 11:10 4,608 a------- c:\windows\system32\w95inf32.dll
2008-12-02 11:10 2,272 a------- c:\windows\system32\w95inf16.dll
2008-09-17 21:26 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091720080918\index.dat

============= FINISH: 8:12:14.64 ===============

I should also mention that working online has become problematic with this issue.

Firefox goes to Yahoo just fine, but when I click on certain search results the resulting page is either blank or starts to load alternative material. Thought that might help you diagnose the issue.

Thanks,
Scott

[chemist]

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Let's try to get a GMER log. You must have extracted gmer.exe to your desktop for this to work.

Open Notepad and copy/paste the text in the quotebox below into Notepad:

Quote:

@echo off
copy /y gmer.exe omer.exe
start omer

Save this as run.bat Choose to "Save type as - All Files" next to gmer.exe
It should look like this:
Double-click run.bat & allow it to run.

Then, use these settings to produce a log.

• If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click NO.
  
  
  
  Click the image to enlarge it
  
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and attach it to your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

------------------------------------------------------

Disable the real-time protections of your antivirus and antispyware applications, usually via a right-click on the System Tray icon. Please re-enable them after the scan.

• Download ToolBarSD and Save it to your Desktop.
• Double-click ToolBarSD.exe to run it.
• Type the letter of your chosen language and press Enter
• Click OK to the prompt.
• Type 1 and press Enter
• Please post the log, TB.txt, which it creates at C:\TB.txt in your next reply.

------------------------------------------------------

[cheeksyoung]

Thank you for your help!

gmer.txt is attached

TB.txt is as follows:


-----------\\ ToolBar S&D 1.2.8 XP/Vista

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : Intel(R) Pentium(R) 4 CPU 3.00GHz )
BIOS : Default System BIOS
USER : Scott ( Administrator )
BOOT : Normal boot
Antivirus : VirusScan Enterprise + AntiSpyware Enterprise 8.5.0.781 (Not Activated)
C:\ (Local Disk) - NTFS - Total:232 Go (Free:211 Go)
D:\ (CD or DVD)
E:\ (CD or DVD)
F:\ (USB)
G:\ (USB) - FAT32 - Total:3898 Mo (Free:2 Go)
H:\ (USB)
I:\ (USB)
J:\ (Local Disk) - NTFS - Total:465 Go (Free:317 Go)
K:\ (CD or DVD) - CDFS - Total:0 Go (Free:0 Go)
M:\ (USB) - FAT - Total:1952 Mo (Free:1 Go)
N:\ (Local Disk) - FAT32 - Total:148 Go (Free:2 Go)

"C:\ToolBar SD" ( MAJ : 21-12-2008|20:47 )
Option : [1] ( Tue 02/24/2009|22:49 )

-----------\\ Searching for Files - Folders ...


-----------\\ [..\Internet Explorer\Main]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Local Page"="C:\\WINDOWS\\system32\\blank.htm"
"Start Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Url"="http://go.microsoft.com/fwlink/?LinkId=68928"
"Url"="http://go.microsoft.com/fwlink/?LinkId=68929"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL"="http://go.microsoft.com/fwlink/?LinkId=69157"
"Default_Search_URL"="http://go.microsoft.com/fwlink/?LinkId=54896"
"Search Page"="http://go.microsoft.com/fwlink/?LinkId=54896"
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"


--------------------\\ Searching for other infections

C:\WINDOWS\system32\JQporqru.ini
C:\WINDOWS\system32\JQporqru.ini2
==> VUNDO <==

--------------------\\ ROOTKIT !!

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV.SYS]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TDSSSERV.SYS]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV.SYS]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys]

--------------------\\ Suspect ..

C:\WINDOWS\system32\TDSSlxwp.dll
C:\WINDOWS\system32\TDSSosvd.dat
C:\WINDOWS\system32\TDSStkdv.log

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\Scott\Local Settings\Temp\crackman
C:\DOCUME~1\Scott\Local Settings\Temp\crackman\CRACKMAN.TTF
C:\DOCUME~1\Scott\Local Settings\Temp\crackman\Read_Me.txt



1 - "C:\ToolBar SD\TB_1.txt" - Tue 02/24/2009|22:51 - Option : [1]

-----------\\ Scan completed at 22:51:07.23

[chemist]

Hello cheeksyoung.

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------

[cheeksyoung]

Much like I experienced with gmer, Combofix is resistant to run. I have downloaded it to the desktop, closed all windows and disabled virus protection. Double clicking results in a box that asks if I'd like to RUN. When I click RUN, the box disappears and nothing ever happens.

Is there something I can do to make ComboFix run?


Thanks,
Scott

[chemist]

Delete ComboFix.exe from your desktop.

Download ComboFix from any of the links below. You must rename it before saving it. Save it to your Desktop.

If you are using Firefox, go to Tools > Options > Main and select 'Always ask me where to save files' and click OK.

Link 1
Link 2
Link 3





* IMPORTANT !!! Save Combo-Fix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.
  
• Get help here
  
• Double-click on Combo-Fix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

------------------------------------------------------

[cheeksyoung]

ComboFix 09-02-24.02 - Scott 2009-02-25 9:37:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2550.2160 [GMT -5:00]
Running from: c:\documents and settings\Scott\Desktop\Combo-Fix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated)
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\windows\system32\dcgmjp.dll
c:\windows\system32\drivers\TDSSmqlt.sys
c:\windows\system32\drivers\UACompfmjyi.sys
c:\windows\system32\hlyjlhtl.dll
c:\windows\system32\iybmtgil.dll
c:\windows\system32\JQporqru.ini
c:\windows\system32\JQporqru.ini2
c:\windows\system32\mawpugmp.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\TDSSbrsr.dll
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\UACapyejonm.dll
c:\windows\system32\UACdqgoeawl.dll
c:\windows\system32\UACeekmmtpx.log
c:\windows\system32\UACefkaprrp.dll
c:\windows\system32\UAClkttjiwx.dll
c:\windows\system32\UACmhcjgxtq.dat
c:\windows\system32\UACxcdmlsoi.log
c:\windows\system32\UACyyufygfr.log
c:\windows\system32\xhjzfb.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))
.

2009-02-24 22:43 . 2009-02-24 22:51 <DIR> d-------- C:\ToolBar SD
2009-02-20 13:28 . 2009-02-20 13:28 512 --a------ c:\windows\randseed.rnd
2009-02-17 17:22 . 2009-02-17 17:22 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-17 17:22 . 2009-02-17 17:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-17 17:22 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-17 17:22 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-16 00:03 . 2009-02-25 07:07 5,182 --a------ c:\windows\system32\uacinit.dll
2009-02-13 16:35 . 2009-02-13 16:35 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-02-13 16:26 . 2009-02-13 16:26 <DIR> d-------- c:\program files\TiVo
2009-02-13 16:26 . 2009-02-13 16:26 <DIR> d-------- c:\program files\Common Files\TiVo Shared
2009-02-13 16:26 . 2009-02-13 16:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\TiVo
2009-02-13 16:25 . 2009-02-13 16:27 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-26 12:58 . 2009-01-26 12:58 <DIR> d-------- c:\program files\Aimersoft
2009-01-26 12:55 . 2004-10-12 14:40 2,255,360 --a------ c:\windows\system32\libavcodec.dll
2009-01-26 12:55 . 2004-10-12 14:46 1,761,280 --a------ c:\windows\system32\ffdshow.ax
2009-01-26 12:55 . 2004-10-05 16:16 395,776 --a------ c:\windows\system32\libmplayer.dll
2009-01-26 12:55 . 2004-10-12 14:42 262,144 --a------ c:\windows\system32\TomsMoComp_ff.dll
2009-01-26 12:55 . 2003-04-03 00:17 172,032 --a------ c:\windows\system32\ac3filter.ax
2009-01-26 12:55 . 2004-10-04 01:50 112,640 --a------ c:\windows\system32\libmpeg2_ff.dll
2009-01-26 12:54 . 2009-01-26 12:54 <DIR> d-------- c:\program files\Cucusoft
2009-01-26 12:46 . 2009-01-26 12:46 <DIR> d-------- c:\program files\DirectShow Dump

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-25 14:42 --------- d-----w c:\program files\DNA
2009-02-25 14:42 --------- d-----w c:\documents and settings\Scott\Application Data\DNA
2009-02-25 12:12 --------- d-----w c:\program files\Dl_cats
2009-02-25 03:52 --------- d-----w c:\documents and settings\Scott\Application Data\U3
2009-02-20 01:18 --------- d-----w c:\documents and settings\Scott\Application Data\Skype
2009-02-17 16:47 --------- d-----w c:\program files\Google
2009-01-20 18:09 --------- d-----w c:\program files\Photosynth
2009-01-16 14:00 --------- d-----w c:\documents and settings\Scott\Application Data\Yahoo!
2009-01-16 05:04 --------- d-----w c:\documents and settings\Scott\Application Data\skypePM
2009-01-10 17:43 --------- d-----w c:\program files\Jasc Software Inc
2009-01-10 17:43 --------- d-----w c:\documents and settings\Scott\Application Data\Jasc Software Inc
2009-01-10 17:42 --------- d-----w c:\program files\Dell Computer
2009-01-10 17:42 --------- d-----w c:\program files\ABBYY FineReader 5.0 Sprint
2009-01-10 17:40 --------- d-----w c:\program files\Dell Photo AIO Printer 922
2009-01-09 03:41 --------- d-----w c:\program files\MSECache
2009-01-08 13:59 --------- d-----w c:\documents and settings\Scott\Application Data\Roxio
2009-01-08 13:52 --------- d-----w c:\program files\Common Files\SureThing Shared
2009-01-08 13:52 --------- d-----w c:\documents and settings\All Users\Application Data\Uninstall
2009-01-08 13:51 --------- d-----w c:\program files\Common Files\Sonic Shared
2009-01-08 13:51 --------- d-----w c:\program files\Common Files\Roxio Shared
2009-01-08 13:51 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2009-01-08 13:50 --------- d-----w c:\program files\Roxio
2009-01-08 13:50 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-08 13:50 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2009-01-05 15:32 --------- d-----w c:\program files\Java
2008-12-29 15:13 --------- d-----w c:\program files\McAfee
2008-12-29 15:13 --------- d-----w c:\program files\Common Files\Cisco Systems
2008-12-29 15:13 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-29 15:12 --------- d-----w c:\program files\Common Files\McAfee
2008-12-29 15:04 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-27 03:36 --------- d-----w c:\program files\Skype
2008-12-27 03:36 --------- d-----w c:\program files\Common Files\Skype
2008-12-27 03:36 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-12-26 19:26 --------- d-----w c:\program files\Apple Software Update
2008-12-26 19:10 --------- d-----w c:\program files\Bonjour
2008-12-26 19:09 --------- d-----w c:\program files\iTunes
2008-12-26 19:09 --------- d-----w c:\program files\iPod
2008-12-26 19:09 --------- d-----w c:\program files\Common Files\Apple
2008-12-26 19:09 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-26 19:08 --------- d-----w c:\program files\QuickTime
2008-09-18 02:26 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091720080918\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"TivoTransfer"="c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2008-07-09 1189376]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2008-07-09 394240]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2008-07-09 1931264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-17 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-17 126976]
"AdobeVersionCue"="c:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-13 1732608]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-10-08 221184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-07 176128]
"HPHUPD05"="c:\program files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-07 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2005-07-07 491520]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-08 185896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-22 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 290816]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-07-25 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-07-25 c:\windows\ALCWZRD.EXE]

c:\documents and settings\Scott\Start Menu\Programs\Startup\
MEMonitor.lnk - c:\program files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-02-05 951640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-31 110592]
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2008-05-23 315392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=dcgmjp.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Synergy\\synergys.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 Synergy Server;Synergy Server;c:\program files\Synergy\synergys.exe [2006-04-02 733184]
R2 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [2008-07-09 868864]
S2 gupdate1c986f5d914ebca;Google Update Service (gupdate1c986f5d914ebca);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 133104]
S4 Aspprorr;Aspprorr; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6892de2-cfae-11dc-9e59-00132086175e}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-25 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 13:24]

2009-02-25 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2005-07-07 23:55]
.
- - - - ORPHANS REMOVED - - - -

BHO-{67b1010d-53d8-4f45-b2d8-8fe6abc1d5fd} - c:\windows\system32\dcgmjp.dll
HKLM-Run-04ac0a0a - c:\windows\system32\hlyjlhtl.dll


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\irtzu0af.Cheeksyoung 27\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 09:42:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\spupdsvc]
"ImagePath"="c:\windows\system32\spupdsvc.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\Synergy\synrgyhk.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\Dell Photo AIO Printer 922\dlbtbmon.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\windows\system32\HPZipm12.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-02-25 9:47:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-25 14:46:54

Pre-Run: 227,306,471,424 bytes free
Post-Run: 230,034,857,984 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

247 --- E O F --- 2009-02-25 14:46:36

[chemist]

Hello again, Scott.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:

File::
c:\windows\system32\uacinit.dll

Folder::
c:\program files\Common Files\Symantec Shared

DDS::
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"=-
"AlcWzrd"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=-
"c:\\Program Files\\FlashGet\\flashget.exe"=-

Driver::
Aspprorr

Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.

------------------------------------------------------

[cheeksyoung]

ComboFix 09-02-25.01 - Scott 2009-02-25 16:46:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2550.1976 [GMT -5:00]
Running from: c:\documents and settings\Scott\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Scott\Desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\uacinit.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\Symantec Shared
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\CATALOG.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\CCERASER.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\ECMSVR32.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\EECTRL.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\ERASER.GRD
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\ERASER.SIG
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\ERASER.SPM
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\ERASER.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\ESRDEF.BIN
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\HH
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\hub.scr
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\NAVENG.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\NAVENG32.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\NAVEX15.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\NAVEX32A.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\NCSACERT.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\SCRAUTH.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\SYMAVENG.CAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\SYMAVENG.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\SYMERASE.CAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\SYMERASE.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\TCDEFS.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\TCSCAN7.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\TCSCAN8.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\TCSCAN9.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\TECHNOTE.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\TINF.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\TINFIDX.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\TINFL.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\TSCAN1.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\TSCAN1HD.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\V.GRD
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\V.SIG
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\VIRSCAN.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\VIRSCAN1.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\VIRSCAN2.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\VIRSCAN3.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\VIRSCAN4.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\VIRSCAN5.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\VIRSCAN6.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\VIRSCAN7.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\VIRSCAN8.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\VIRSCAN9.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\VIRSCANT.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\vscanmsx.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\WHATSNEW.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081226.002\ZDONE.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\CATALOG.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\CCERASER.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\ECMSVR32.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\EECTRL.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\ERASER.GRD
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\ERASER.SIG
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\ERASER.SPM
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\ERASER.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\ESRDEF.BIN
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\HH
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\hub.scr
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\NAVENG.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\NAVENG32.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\NAVEX15.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\NAVEX32A.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\NCSACERT.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\SCRAUTH.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\SYMAVENG.CAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\SYMAVENG.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\SYMERASE.CAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\SYMERASE.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\TCDEFS.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\TCSCAN7.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\TCSCAN8.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\TCSCAN9.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\TECHNOTE.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\TINF.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\TINFIDX.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\TINFL.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\TSCAN1.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\TSCAN1HD.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\V.GRD
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\V.SIG
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\VIRSCAN.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\VIRSCAN1.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\VIRSCAN2.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\VIRSCAN3.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\VIRSCAN4.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\VIRSCAN5.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\VIRSCAN6.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\VIRSCAN7.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\VIRSCAN8.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\VIRSCAN9.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\VIRSCANT.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\vscanmsx.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\WHATSNEW.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081228.003\ZDONE.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\catalog.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\cceraser.dll
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ecmsvr32.dll
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\eeCtrl.sys
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ERASER.grd
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ERASER.sig
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ERASER.spm
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ERASER.sys
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\esrdef.bin
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\hh
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\naveng.sys
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\naveng32.dll
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\navex15.sys
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\navex32a.dll
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ncsacert.txt
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\scrauth.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\symaveng.cat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\symaveng.inf
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\SymErase.cat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\SymErase.inf
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tcdefs.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tcscan7.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tcscan8.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tcscan9.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\technote.txt
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tinf.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tinfidx.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tinfl.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tscan1.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tscan1hd.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\v.grd
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\v.sig
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan.inf
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan1.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan2.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan3.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan4.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan5.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan6.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan7.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan8.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan9.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\whatsnew.txt
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\zdone.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\definfo.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\usage.dat
c:\program files\FlashGet\jc_all.htm
c:\program files\FlashGet\jc_link.htm
c:\windows\system32\uacinit.dll
M:\dds.pif

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Aspprorr


((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))
.

2009-02-24 22:43 . 2009-02-24 22:51 <DIR> d-------- C:\ToolBar SD
2009-02-20 13:28 . 2009-02-20 13:28 512 --a------ c:\windows\randseed.rnd
2009-02-17 17:22 . 2009-02-17 17:22 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-17 17:22 . 2009-02-17 17:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-17 17:22 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-17 17:22 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-13 16:35 . 2009-02-13 16:35 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-02-13 16:26 . 2009-02-13 16:26 <DIR> d-------- c:\program files\TiVo
2009-02-13 16:26 . 2009-02-13 16:26 <DIR> d-------- c:\program files\Common Files\TiVo Shared
2009-02-13 16:26 . 2009-02-13 16:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\TiVo
2009-02-13 16:25 . 2009-02-13 16:27 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-26 12:58 . 2009-01-26 12:58 <DIR> d-------- c:\program files\Aimersoft
2009-01-26 12:55 . 2004-10-12 14:40 2,255,360 --a------ c:\windows\system32\libavcodec.dll
2009-01-26 12:55 . 2004-10-12 14:46 1,761,280 --a------ c:\windows\system32\ffdshow.ax
2009-01-26 12:55 . 2004-10-05 16:16 395,776 --a------ c:\windows\system32\libmplayer.dll
2009-01-26 12:55 . 2004-10-12 14:42 262,144 --a------ c:\windows\system32\TomsMoComp_ff.dll
2009-01-26 12:55 . 2003-04-03 00:17 172,032 --a------ c:\windows\system32\ac3filter.ax
2009-01-26 12:55 . 2004-10-04 01:50 112,640 --a------ c:\windows\system32\libmpeg2_ff.dll
2009-01-26 12:54 . 2009-01-26 12:54 <DIR> d-------- c:\program files\Cucusoft
2009-01-26 12:46 . 2009-01-26 12:46 <DIR> d-------- c:\program files\DirectShow Dump

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-25 21:49 --------- d-----w c:\documents and settings\Scott\Application Data\DNA
2009-02-25 21:47 --------- d-----w c:\program files\FlashGet
2009-02-25 14:53 --------- d-----w c:\program files\DNA
2009-02-25 12:12 --------- d-----w c:\program files\Dl_cats
2009-02-25 03:52 --------- d-----w c:\documents and settings\Scott\Application Data\U3
2009-02-20 01:18 --------- d-----w c:\documents and settings\Scott\Application Data\Skype
2009-02-17 16:47 --------- d-----w c:\program files\Google
2009-01-20 18:09 --------- d-----w c:\program files\Photosynth
2009-01-16 14:00 --------- d-----w c:\documents and settings\Scott\Application Data\Yahoo!
2009-01-16 05:04 --------- d-----w c:\documents and settings\Scott\Application Data\skypePM
2009-01-10 17:43 --------- d-----w c:\program files\Jasc Software Inc
2009-01-10 17:43 --------- d-----w c:\documents and settings\Scott\Application Data\Jasc Software Inc
2009-01-10 17:42 --------- d-----w c:\program files\Dell Computer
2009-01-10 17:42 --------- d-----w c:\program files\ABBYY FineReader 5.0 Sprint
2009-01-10 17:40 --------- d-----w c:\program files\Dell Photo AIO Printer 922
2009-01-09 03:41 --------- d-----w c:\program files\MSECache
2009-01-08 13:59 --------- d-----w c:\documents and settings\Scott\Application Data\Roxio
2009-01-08 13:52 --------- d-----w c:\program files\Common Files\SureThing Shared
2009-01-08 13:52 --------- d-----w c:\documents and settings\All Users\Application Data\Uninstall
2009-01-08 13:51 --------- d-----w c:\program files\Common Files\Sonic Shared
2009-01-08 13:51 --------- d-----w c:\program files\Common Files\Roxio Shared
2009-01-08 13:51 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2009-01-08 13:50 --------- d-----w c:\program files\Roxio
2009-01-08 13:50 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-08 13:50 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2009-01-05 15:32 --------- d-----w c:\program files\Java
2008-12-29 15:13 --------- d-----w c:\program files\McAfee
2008-12-29 15:13 --------- d-----w c:\program files\Common Files\Cisco Systems
2008-12-29 15:13 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-29 15:12 --------- d-----w c:\program files\Common Files\McAfee
2008-12-27 03:36 --------- d-----w c:\program files\Skype
2008-12-27 03:36 --------- d-----w c:\program files\Common Files\Skype
2008-12-27 03:36 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-12-26 19:26 --------- d-----w c:\program files\Apple Software Update
2008-12-26 19:10 --------- d-----w c:\program files\Bonjour
2008-12-26 19:09 --------- d-----w c:\program files\iTunes
2008-12-26 19:09 --------- d-----w c:\program files\iPod
2008-12-26 19:09 --------- d-----w c:\program files\Common Files\Apple
2008-12-26 19:09 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-26 19:08 --------- d-----w c:\program files\QuickTime
2008-09-18 02:26 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091720080918\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-25_ 9.45.53.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-10-19 02:47:20 10,834,432 -c--a-w c:\windows\system32\dllcache\wmp.dll
+ 2007-06-12 04:51:12 10,834,944 -c--a-w c:\windows\system32\dllcache\wmp.dll
- 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-07-27 15:41:40 16,760 ------w c:\windows\system32\spmsg.dll
- 2006-10-19 02:47:20 10,834,432 ----a-w c:\windows\system32\wmp.dll
+ 2007-06-12 04:51:12 10,834,944 ----a-w c:\windows\system32\wmp.dll
- 2006-10-19 02:47:20 295,936 ------w c:\windows\system32\wmpeffects.dll
+ 2008-06-24 23:12:58 295,936 ------w c:\windows\system32\wmpeffects.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"TivoTransfer"="c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2008-07-09 1189376]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2008-07-09 394240]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2008-07-09 1931264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-17 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-17 126976]
"AdobeVersionCue"="c:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-13 1732608]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-10-08 221184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-07 176128]
"HPHUPD05"="c:\program files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-07 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2005-07-07 491520]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-08 185896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-22 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 290816]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-07-25 c:\windows\SOUNDMAN.EXE]

c:\documents and settings\Scott\Start Menu\Programs\Startup\
MEMonitor.lnk - c:\program files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-02-05 951640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-31 110592]
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2008-05-23 315392]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Synergy\\synergys.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 Synergy Server;Synergy Server;c:\program files\Synergy\synergys.exe [2006-04-02 733184]
R2 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [2008-07-09 868864]
S2 gupdate1c986f5d914ebca;Google Update Service (gupdate1c986f5d914ebca);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 133104]
.
Contents of the 'Scheduled Tasks' folder

2009-02-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-25 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 13:24]

2009-02-25 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2005-07-07 23:55]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\irtzu0af.Cheeksyoung 27\
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 16:51:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\Synergy\synrgyhk.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\Dell Photo AIO Printer 922\dlbtbmon.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\windows\system32\HPZipm12.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-02-25 16:54:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-25 21:54:50
ComboFix2.txt 2009-02-25 14:47:02

Pre-Run: 230,018,371,584 bytes free
Post-Run: 229,928,349,696 bytes free

352 --- E O F --- 2009-02-25 14:46:36

[chemist]

Hello again, Scott. Please tell us how your system is behaving.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Go to Start > Run and copy/paste the following into the Run box and click OK:

cmd /c rd /s/q "c:\program files\FlashGet"

A DOS window will open and close again, this is normal.

------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
• Scroll down to where it says Java Runtime Environment (JRE) 6 Update 12 The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
• Click the Download button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement
• Click Continue The page will refresh.
• Click on the link to download Windows Offline Installation and Save the file to your Desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start(or My Computer) > Control Panel and double-click on Add or Remove Programs and remove all older versions of Java.
• Click (highlight) any item with Java Runtime Environment (JRE, J2SE, Java(TM) SE or Java(TM) 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.

• After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button.
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window.
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
  • Click OK to leave the Temporary Files Window.
  • Click OK to leave the Java Control Panel.
  • Delete jre-6u12-windows-i586-p.exe from your desktop.

------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Ensure your external and/or USB drives are inserted during the scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at any Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected.
• It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
report on system behavior

[cheeksyoung]

Things are looking up......no more Google Updater popups at start and I seem to be able to get everywhere I need in Firefox.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, February 26, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, February 25, 2009 23:03:51
Records in database: 1844858
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
M:\
N:\

Scan statistics:
Files scanned: 156371
Threat name: 4
Infected objects: 8
Suspicious objects: 0
Duration of the scan: 02:01:22


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\dcgmjp.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.jvg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_UACompfmjyi_.sys.zip Infected: Rootkit.Win32.TDSS.gwh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hlyjlhtl.dll.vir Infected: Trojan.Win32.Monder.bezy 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\mawpugmp.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.jvg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACapyejonm.dll.vir Infected: Packed.Win32.Tdss.c 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACdqgoeawl.dll.vir Infected: Packed.Win32.Tdss.c 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACefkaprrp.dll.vir Infected: Packed.Win32.Tdss.c 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UAClkttjiwx.dll.vir Infected: Packed.Win32.Tdss.c 1

The selected area was scanned.

[chemist]

Congratulations. Well done! Your logs appear clean. You should be good to go.

As far as those infected objects listed in the Kaspersky report, those are safely tucked away in ComboFix's quarantine folder or in old System Restore Points, which we will be taking care of now.

Please disable McAfee before uninstalling ComboFix and then re-enable it after doing so.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /u

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore Point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:

• How Did I Get Infected In The First Place? by TonyKlein
• PC Safety and Security--What Do I Need?

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

• SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites in Internet Explorer. See tutorial here
  
• IE-Spyad is another excellent program that places over 5000 dubious websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. It basically prevents any downloads from the sites listed, although you will still be able to connect to the site. See tutorial here
  
• MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here

Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.

[cheeksyoung]

chemist,

Thanks so much for all of your help....I have uninstalled combofix and implemented the programs you suggested.

Again, you have been very helpful, with timely posts and the best thing: IT WORKED!

Keep up the great work!!!

Scott

[chemist]

Your're very welcome, Scott. Glad to have helped.