Malware Help Please

[Derwood1]

First thank you very much for help me out!!!

I have a Dell laptop with some significant issues. It is running very slowly and has a recurring Trojan that I can not get rid of. I am using CA Security and it is unable to get rid of it. I do not remember the name of the Trojan and it has taken me 2 days to DL and run these scans. As soon as I track it down I will post it here.

Basically besides running slowly Internet Explorer continuously and spontaneously opens up multiple windows. I tried to do a complete restore using the disk provided by Dell but I got errors stating I was unable to access the Tools.

Ok this log you are asking me to post is way to long and the system will not let me post the thread so I am going to attach it to this post then post again with the other 2...hope that is ok.

Once again thanks!

Ok here are the other 2 files.

[Ried]

Hello Derwood1 and welcome.

Quote:

Ok this log you are asking me to post is way to long

You have roughly 22,000 (that is not a typo - twenty-two thousand) malware entries running.

As such, I am going to tell you upfront that it can prove to be risky to clean this. I'm willing to try to do it, and if you are agreeable to attempting this, please back up all your important documents, pictures, etc first. Boot into Safe Mode and see if the system is a bit faster for you, then backup to any removeable media.

Let me know when that has been done and we'll begin. Or - let me know if you've decided you'd rather not proceed.

[Derwood1]

Thank you Ried for replying so quickly....I do appreciate it!

Ok I have managed to get some of the docs I need off but even in Safe Mode it is pretty slow. I am ready to try and recovery this because doing nothing is not an alternative as it is unusable this way. I absolve you of any damages.

So lets get started please! Oh is 22,000 a record?

[Ried]

Alright, Derwood1 - hold onto your hat.

Needless to say, it will require more than one round to properly clean your system. Please stay with me.

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

On your keyboard, press the Windows Logo key and the letter R to open the Run command box. Copy/paste the following bolded text into the run box & click OK.

"%userprofile%\desktop\combofix.exe" /killall

When finished, it shall produce a log for you which I will need in your next reply.

I'll be standing by....

[Derwood1]

Thank you and ComboFix is now running....this may take awhile :P

[Ried]

Thanks for letting me know that it is running. I'll continue to stand by.

[Derwood1]

Well Ried the program ran all the way and is now "rebooting windows....please wait" it has been that way for about 20 minutes..... I assume I should keep waiting, right? I'm getting tired so I may just let this set until tomorrow morning...what do you think?

[Ried]

It is late here as well. :)

While that is a bit long to be waiting, if all went as planned, the tool has 22,000 registry keys to delete. Give it another 10 minutes and if it hasn't rebooted, reboot it yourself. ComboFix should continue upon reboot.

If no report pops open for you when it has completed, look for it at C:\ComboFix.txt

If no log is there, next chance you get, run ComboFix again by double clicking ComboFix.exe and post the log that is produced.

[Derwood1]

Ok Ried here is what I have so far and I must say the puter is already running better:

ComboFix 09-03-13.02 - Dad 2009-03-14 0:18:02.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.893.269 [GMT -4:00]
Running from: C:\Users\Dad\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\FunWebProducts
C:\Program Files\Internet Explorer\msimg32.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3MEDINT.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\icons\CM.ICO
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO
C:\Program Files\MyWebSearch\bar\icons\WB.ICO
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
C:\Program Files\Zumie
C:\Program Files\Zumie\home.js
C:\Program Files\Zumie\readme.html
C:\Program Files\Zumie\uninstall.exe
C:\Program Files\Zumie\zopt.exe
C:\Program Files\Zumie\zumie.exe
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
C:\Users\Dad\AppData\Local\Temp\install_flash_player.exe
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\lsass.exe
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\A360
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\A360\A360.lnk
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\A360\Help.lnk
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\A360\Registration.lnk
C:\Users\Dad\Desktop\A360.lnk
C:\Windows\system32\f3PSSavr.scr
C:\Windows\Tasks\hnslnbkt.job

----- BITS: Possible infected sites -----

hxxp://download.esd.intuit.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.

2009-03-14 01:28 . 2009-03-14 01:28 4,316,766 --a------ C:\temp00.dat
2009-03-13 12:46 . 2009-03-13 12:46 <DIR> d-------- C:\Users\All Users\WindowsSearch
2009-03-13 12:46 . 2009-03-13 12:46 <DIR> d-------- C:\ProgramData\WindowsSearch
2009-03-13 03:02 . 2009-03-13 03:02 <DIR> d-------- C:\e60a561d6b73ab1288fc5679b0534a
2009-03-12 14:36 . 2008-12-15 23:29 8,147,456 --a------ C:\Windows\System32\wmploc.DLL
2009-03-12 14:36 . 2008-12-16 01:31 7,680 --a------ C:\Windows\System32\spwmp.dll
2009-03-12 14:36 . 2008-12-16 01:31 4,096 --a------ C:\Windows\System32\msdxm.ocx
2009-03-12 14:36 . 2008-12-16 01:31 4,096 --a------ C:\Windows\System32\dxmasf.dll
2009-03-12 14:35 . 2008-11-27 00:43 268,288 --a------ C:\Windows\System32\schannel.dll
2009-03-12 14:34 . 2009-02-08 23:10 2,033,152 --a------ C:\Windows\System32\win32k.sys
2009-03-01 13:16 . 2009-03-01 13:16 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-02-24 04:04 . 2008-05-27 01:18 231,936 --a------ C:\Windows\System32\msshsq.dll
2009-02-24 04:04 . 2008-05-27 00:59 106,605 --a------ C:\Windows\System32\StructuredQuerySchema.bin
2009-02-24 04:04 . 2008-05-27 01:17 87,552 --a------ C:\Windows\System32\SearchFilterHost.exe
2009-02-24 04:04 . 2008-05-27 01:17 87,552 --a------ C:\Windows\System32\mssitlb.dll
2009-02-24 04:04 . 2008-05-27 01:18 71,680 --a------ C:\Windows\System32\propdefs.dll
2009-02-24 04:04 . 2008-05-27 01:18 44,032 --a------ C:\Windows\System32\msstrc.dll
2009-02-24 04:04 . 2008-05-27 01:17 34,816 --a------ C:\Windows\System32\msscb.dll
2009-02-24 04:04 . 2008-05-27 00:59 18,904 --a------ C:\Windows\System32\StructuredQuerySchemaTrivial.bin
2009-02-24 04:04 . 2008-05-27 01:17 11,776 --a------ C:\Windows\System32\msshooks.dll
2009-02-23 20:12 . 2008-04-26 04:26 891,448 --a------ C:\Windows\System32\drivers\tcpip.sys
2009-02-22 19:23 . 2009-02-22 19:23 <DIR> d-------- C:\PerfLogs
2009-02-21 23:50 . 2008-06-19 21:18 781,344 --a------ C:\Windows\System32\PresentationNative_v0300.dll
2009-02-21 23:50 . 2008-06-19 21:17 622,080 --a------ C:\Windows\System32\icardagt.exe
2009-02-21 23:50 . 2008-06-19 21:18 105,016 --a------ C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
2009-02-21 23:50 . 2008-06-19 21:17 97,800 --a------ C:\Windows\System32\infocardapi.dll
2009-02-21 23:50 . 2008-06-19 21:18 43,544 --a------ C:\Windows\System32\PresentationHostProxy.dll
2009-02-21 23:50 . 2008-06-19 21:17 37,384 --a------ C:\Windows\System32\infocardcpl.cpl
2009-02-21 23:50 . 2008-06-19 21:17 11,264 --a------ C:\Windows\System32\icardres.dll
2009-02-21 23:49 . 2008-06-19 21:18 326,160 --a------ C:\Windows\System32\PresentationHost.exe
2009-02-21 23:47 . 2009-02-21 23:49 37,765,120 --a------ C:\Windows\ocsetup_install_NetFx3.etl
2009-02-21 23:47 . 2009-02-21 23:49 32,768 --a------ C:\Windows\ocsetup_cbs_install_NetFx3.perf
2009-02-21 23:47 . 2009-02-21 23:49 16,384 --a------ C:\Windows\ocsetup_cbs_install_NetFx3.dpx
2009-02-21 23:33 . 2008-07-27 14:00 282,112 --a------ C:\Windows\System32\mscoree.dll
2009-02-21 23:33 . 2008-07-27 14:00 158,720 --a------ C:\Windows\System32\mscorier.dll
2009-02-21 23:33 . 2008-07-27 14:00 96,760 --a------ C:\Windows\System32\dfshim.dll
2009-02-21 23:33 . 2008-07-27 14:00 41,984 --a------ C:\Windows\System32\netfxperf.dll
2009-02-21 23:32 . 2008-07-27 14:00 83,968 --a------ C:\Windows\System32\mscories.dll
2009-02-21 20:28 . 2009-02-21 20:27 880,560 --a------ C:\Windows\System32\drivers\vetefile.sys
2009-02-21 20:28 . 2009-02-21 20:27 108,368 --a------ C:\Windows\System32\drivers\veteboot.sys
2009-02-21 20:24 . 2007-08-20 14:37 99,592 --a------ C:\Windows\System32\isafeif.dll
2009-02-21 20:24 . 2007-08-20 14:26 79,424 --a------ C:\Windows\System32\vetredir.dll
2009-02-21 20:24 . 2007-08-20 14:37 75,016 --a------ C:\Windows\System32\isafprod.dll
2009-02-21 20:24 . 2007-08-20 14:38 32,264 --a------ C:\Windows\System32\drivers\vetmonnt.sys
2009-02-21 20:24 . 2007-08-20 14:38 26,376 --a------ C:\Windows\System32\drivers\vet-filt.sys
2009-02-21 20:24 . 2007-08-20 14:38 21,512 --a------ C:\Windows\System32\drivers\vetfddnt.sys
2009-02-21 20:24 . 2007-08-20 14:38 21,128 --a------ C:\Windows\System32\drivers\vet-rec.sys
2009-02-21 20:23 . 2009-02-21 20:25 <DIR> d-------- C:\Users\All Users\CA
2009-02-21 20:23 . 2009-02-21 20:25 <DIR> d-------- C:\ProgramData\CA
2009-02-21 20:23 . 2009-02-21 20:23 <DIR> d-------- C:\Program Files\Common Files\Scanner
2009-02-21 20:23 . 2009-02-21 20:23 <DIR> d-------- C:\Program Files\CA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-13 15:24 --------- d-----w C:\Program Files\Windows Mail
2009-03-13 07:00 --------- d-----w C:\Program Files\Norton Security Scan
2009-02-28 05:03 --------- d-----w C:\Users\Dad\AppData\Roaming\mIRC
2009-02-23 00:33 174 --sha-w C:\Program Files\desktop.ini
2009-02-22 23:25 --------- d-----w C:\Program Files\Windows Sidebar
2009-02-22 23:25 --------- d-----w C:\Program Files\Windows Photo Gallery
2009-02-22 23:25 --------- d-----w C:\Program Files\Windows Defender
2009-02-22 23:25 --------- d-----w C:\Program Files\Windows Collaboration
2009-02-22 23:25 --------- d-----w C:\Program Files\Windows Calendar
2009-02-22 21:39 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2009-02-22 21:39 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2009-01-31 19:37 --------- d-----w C:\Users\Dad\AppData\Roaming\Intuit
2009-01-31 18:38 --------- d-----w C:\Program Files\Common Files\AnswerWorks 5.0
2009-01-31 18:29 --------- d-----w C:\ProgramData\Intuit
2009-01-31 18:28 --------- d-----w C:\Program Files\Common Files\Intuit
2009-01-31 18:24 --------- d-----w C:\Program Files\TurboTax
2009-01-20 01:23 --------- d-----w C:\Users\Courtney\AppData\Roaming\Apple Computer
2009-01-17 17:59 --------- d-----w C:\Users\Dad\AppData\Roaming\IMVU
2009-01-17 17:07 --------- d-----w C:\Users\Dad\AppData\Roaming\IMVUClient
2009-01-17 16:36 --------- d-----w C:\Program Files\IMVU
2009-01-15 06:11 827,392 ----a-w C:\Windows\System32\wininet.dll
2009-01-14 21:48 6 ----a-w C:\Windows\Fonts\wfonts.key
2008-11-21 19:59 170 ----a-w C:\Users\Dad\AppData\Roaming\wklnhst.dat
2008-05-20 03:37 750 ----a-w C:\Users\Courtney\AppData\Roaming\wklnhst.dat
.

[Ried]

Hi Derwood1,

Was that all that was in the ComboFix.txt? There should have been more info following the Find3m Report.

Please take another look and attach the C:\ComboFix.txt if it's too large.

If what you posted is the entire ComboFix.txt, please run ComboFix again by double clicking it. Post the resultant ComboFix.txt

[Derwood1]

Ok this time the scan was MUCH quicker....things seem to running a whole lot better now. I realized just this morning that when I ran the scan I double clicked on combofix instead of doing the "%userprofile........ like you told me to......hope that isn't a problem...sorry.

one thing i got a Run DLL error I haven't seen before while the log was being prepared: error loading c:/progra~1\myweb~1\bar\1.bin\msplugin.DLL

Is that anything to worry bout? Here is the log:

ComboFix 09-03-13.02 - Dad 2009-03-14 9:50:27.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.893.338 [GMT -4:00]
Running from: c:\users\Dad\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files\FunWebProducts
c:\program files\Internet Explorer\msimg32.dll
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\1.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
c:\program files\Zumie
c:\program files\Zumie\home.js
c:\program files\Zumie\readme.html
c:\program files\Zumie\uninstall.exe
c:\program files\Zumie\zopt.exe
c:\program files\Zumie\zumie.exe
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\Dad\AppData\Local\Temp\install_flash_player.exe
c:\users\Dad\AppData\Roaming\Microsoft\Windows\lsass.exe
c:\users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\A360
c:\users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\A360\A360.lnk
c:\users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\A360\Help.lnk
c:\users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\A360\Registration.lnk
c:\users\Dad\Desktop\A360.lnk
c:\windows\system32\f3PSSavr.scr
c:\windows\Tasks\hnslnbkt.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.

2009-03-14 09:44 . 2009-03-14 09:49 <DIR> d-------- C:\32788R22FWJFW
2009-03-14 01:28 . 2009-03-14 10:11 3,820,949 --a------ C:\temp00.dat
2009-03-13 12:46 . 2009-03-13 12:46 <DIR> d-------- c:\users\All Users\WindowsSearch
2009-03-13 12:46 . 2009-03-13 12:46 <DIR> d-------- c:\programdata\WindowsSearch
2009-03-13 03:02 . 2009-03-13 03:02 <DIR> d-------- C:\e60a561d6b73ab1288fc5679b0534a
2009-03-12 14:36 . 2008-12-15 23:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-12 14:36 . 2008-12-16 01:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-12 14:36 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-12 14:36 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\dxmasf.dll
2009-03-12 14:35 . 2008-11-27 00:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-12 14:34 . 2009-02-08 23:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-01 13:16 . 2009-03-01 13:16 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-02-24 04:04 . 2008-05-27 01:18 231,936 --a------ c:\windows\System32\msshsq.dll
2009-02-24 04:04 . 2008-05-27 00:59 106,605 --a------ c:\windows\System32\StructuredQuerySchema.bin
2009-02-24 04:04 . 2008-05-27 01:17 87,552 --a------ c:\windows\System32\SearchFilterHost.exe
2009-02-24 04:04 . 2008-05-27 01:17 87,552 --a------ c:\windows\System32\mssitlb.dll
2009-02-24 04:04 . 2008-05-27 01:18 71,680 --a------ c:\windows\System32\propdefs.dll
2009-02-24 04:04 . 2008-05-27 01:18 44,032 --a------ c:\windows\System32\msstrc.dll
2009-02-24 04:04 . 2008-05-27 01:17 34,816 --a------ c:\windows\System32\msscb.dll
2009-02-24 04:04 . 2008-05-27 00:59 18,904 --a------ c:\windows\System32\StructuredQuerySchemaTrivial.bin
2009-02-24 04:04 . 2008-05-27 01:17 11,776 --a------ c:\windows\System32\msshooks.dll
2009-02-23 20:12 . 2008-04-26 04:26 891,448 --a------ c:\windows\System32\drivers\tcpip.sys
2009-02-22 19:23 . 2009-02-22 19:23 <DIR> d-------- C:\PerfLogs
2009-02-21 23:50 . 2008-06-19 21:18 781,344 --a------ c:\windows\System32\PresentationNative_v0300.dll
2009-02-21 23:50 . 2008-06-19 21:17 622,080 --a------ c:\windows\System32\icardagt.exe
2009-02-21 23:50 . 2008-06-19 21:18 105,016 --a------ c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2009-02-21 23:50 . 2008-06-19 21:17 97,800 --a------ c:\windows\System32\infocardapi.dll
2009-02-21 23:50 . 2008-06-19 21:18 43,544 --a------ c:\windows\System32\PresentationHostProxy.dll
2009-02-21 23:50 . 2008-06-19 21:17 37,384 --a------ c:\windows\System32\infocardcpl.cpl
2009-02-21 23:50 . 2008-06-19 21:17 11,264 --a------ c:\windows\System32\icardres.dll
2009-02-21 23:49 . 2008-06-19 21:18 326,160 --a------ c:\windows\System32\PresentationHost.exe
2009-02-21 23:47 . 2009-02-21 23:49 37,765,120 --a------ c:\windows\ocsetup_install_NetFx3.etl
2009-02-21 23:47 . 2009-02-21 23:49 32,768 --a------ c:\windows\ocsetup_cbs_install_NetFx3.perf
2009-02-21 23:47 . 2009-02-21 23:49 16,384 --a------ c:\windows\ocsetup_cbs_install_NetFx3.dpx
2009-02-21 23:33 . 2008-07-27 14:00 282,112 --a------ c:\windows\System32\mscoree.dll
2009-02-21 23:33 . 2008-07-27 14:00 158,720 --a------ c:\windows\System32\mscorier.dll
2009-02-21 23:33 . 2008-07-27 14:00 96,760 --a------ c:\windows\System32\dfshim.dll
2009-02-21 23:33 . 2008-07-27 14:00 41,984 --a------ c:\windows\System32\netfxperf.dll
2009-02-21 23:32 . 2008-07-27 14:00 83,968 --a------ c:\windows\System32\mscories.dll
2009-02-21 20:28 . 2009-02-21 20:27 880,560 --a------ c:\windows\System32\drivers\vetefile.sys
2009-02-21 20:28 . 2009-02-21 20:27 108,368 --a------ c:\windows\System32\drivers\veteboot.sys
2009-02-21 20:24 . 2007-08-20 14:37 99,592 --a------ c:\windows\System32\isafeif.dll
2009-02-21 20:24 . 2007-08-20 14:26 79,424 --a------ c:\windows\System32\vetredir.dll
2009-02-21 20:24 . 2007-08-20 14:37 75,016 --a------ c:\windows\System32\isafprod.dll
2009-02-21 20:24 . 2007-08-20 14:38 32,264 --a------ c:\windows\System32\drivers\vetmonnt.sys
2009-02-21 20:24 . 2007-08-20 14:38 26,376 --a------ c:\windows\System32\drivers\vet-filt.sys
2009-02-21 20:24 . 2007-08-20 14:38 21,512 --a------ c:\windows\System32\drivers\vetfddnt.sys
2009-02-21 20:24 . 2007-08-20 14:38 21,128 --a------ c:\windows\System32\drivers\vet-rec.sys
2009-02-21 20:23 . 2009-02-21 20:25 <DIR> d-------- c:\users\All Users\CA
2009-02-21 20:23 . 2009-02-21 20:25 <DIR> d-------- c:\programdata\CA
2009-02-21 20:23 . 2009-02-21 20:23 <DIR> d-------- c:\program files\Common Files\Scanner
2009-02-21 20:23 . 2009-02-21 20:23 <DIR> d-------- c:\program files\CA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-13 15:24 --------- d-----w c:\program files\Windows Mail
2009-03-13 07:00 --------- d-----w c:\program files\Norton Security Scan
2009-02-28 05:03 --------- d-----w c:\users\Dad\AppData\Roaming\mIRC
2009-02-23 00:33 174 --sha-w c:\program files\desktop.ini
2009-02-22 23:25 --------- d-----w c:\program files\Windows Sidebar
2009-02-22 23:25 --------- d-----w c:\program files\Windows Photo Gallery
2009-02-22 23:25 --------- d-----w c:\program files\Windows Defender
2009-02-22 23:25 --------- d-----w c:\program files\Windows Collaboration
2009-02-22 23:25 --------- d-----w c:\program files\Windows Calendar
2009-02-22 21:39 82,432 ----a-w c:\windows\System32\axaltocm.dll
2009-02-22 21:39 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2009-01-31 19:37 --------- d-----w c:\users\Dad\AppData\Roaming\Intuit
2009-01-31 18:38 --------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-01-31 18:29 --------- d-----w c:\programdata\Intuit
2009-01-31 18:28 --------- d-----w c:\program files\Common Files\Intuit
2009-01-31 18:24 --------- d-----w c:\program files\TurboTax
2009-01-20 01:23 --------- d-----w c:\users\Courtney\AppData\Roaming\Apple Computer
2009-01-17 17:59 --------- d-----w c:\users\Dad\AppData\Roaming\IMVU
2009-01-17 17:07 --------- d-----w c:\users\Dad\AppData\Roaming\IMVUClient
2009-01-17 16:36 --------- d-----w c:\program files\IMVU
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2009-01-14 21:48 6 ----a-w c:\windows\Fonts\wfonts.key
2008-11-21 19:59 170 ----a-w c:\users\Dad\AppData\Roaming\wklnhst.dat
2008-05-20 03:37 750 ----a-w c:\users\Courtney\AppData\Roaming\wklnhst.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-14_ 2.15.23.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-14 06:04:25 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-03-14 14:25:20 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-03-14 06:04:25 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-03-14 14:25:20 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-03-14 06:07:24 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
+ 2009-03-14 14:26:12 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
- 2009-03-14 06:07:18 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2009-03-14 14:26:12 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
- 2009-03-14 03:17:35 101,350 ----a-w c:\windows\System32\perfc009.dat
+ 2009-03-14 06:12:31 101,350 ----a-w c:\windows\System32\perfc009.dat
- 2009-03-14 03:17:35 595,684 ----a-w c:\windows\System32\perfh009.dat
+ 2009-03-14 06:12:31 595,684 ----a-w c:\windows\System32\perfh009.dat
- 2009-03-14 06:07:44 6,686 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1296082034-130973300-2530275850-1000_UserData.bin
+ 2009-03-14 14:27:28 7,034 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1296082034-130973300-2530275850-1000_UserData.bin
- 2009-03-14 06:07:44 57,544 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-03-14 14:27:28 57,560 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-03-14 06:07:44 38,536 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-03-14 14:27:23 38,642 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-03-14 02:54:08 241,530 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-03-14 13:41:06 242,020 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{971F630E-AD68-4d6e-B0C3-1C627AAC80F1}]
2008-03-03 19:26 635392 --a------ c:\program files\GamingSquared\Gaming2\G2IE_v1042.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nhivihi"="c:\users\Dad\AppData\Local\Bcomal.dll" [2009-03-05 40960]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-28 68856]
"Google Update"="c:\users\Dad\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]
"Uqaha"="c:\users\Dad\AppData\Local\ekuperulazexizux.dll" [2009-03-05 132096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-20 815104]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-11 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-21 1540096]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-06 29744]
"G2"="c:\program files\GamingSquared\Gaming2\G2.exe" [2008-03-03 1215664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"GoBoingo"="c:\program files\Boingo\GoBoingo\GoBoingo.lnk" [2008-06-06 1804]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-02-21 177392]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 230664]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 c:\windows\sttray.exe]

c:\users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
IMVU.lnk - c:\users\Dad\AppData\Roaming\IMVUClient\IMVUClient.exe [2008-12-23 49408]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-11-29 50688]
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-11-29 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5836706E-92F7-48FB-8972-E72EEFDBB673}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{E4331A4F-508E-4AD7-8F2B-95F224A2FC9E}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{B4943228-6E38-4FC0-97B3-44A927F197FE}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{84C38EC2-DA63-4069-871D-A58B6F9BD074}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"TCP Query User{FA76C633-0BD3-4181-9EB4-0B04EEB80D44}c:\\program files\\mirc\\mirc.exe"= UDP:c:\program files\mirc\mirc.exe:mIRC
"UDP Query User{96E9E4A0-424B-4F98-B868-A56A815FC9F4}c:\\program files\\mirc\\mirc.exe"= TCP:c:\program files\mirc\mirc.exe:mIRC
"TCP Query User{9649797A-D207-4AE8-86F1-13F577C2244F}c:\\program files\\mirc\\mirc.exe"= UDP:c:\program files\mirc\mirc.exe:mIRC
"UDP Query User{CCA18580-EB25-4D58-9F72-CBDDB7C0EC32}c:\\program files\\mirc\\mirc.exe"= TCP:c:\program files\mirc\mirc.exe:mIRC
"{FD13E65D-B49E-4C88-B04C-160167930815}"= UDP:c:\program files\V CAST Music with Rhapsody\rhapsody.exe:Rhapsody Media Player
"{B8347549-D977-41AE-ACD3-00CB4E3D0761}"= TCP:c:\program files\V CAST Music with Rhapsody\rhapsody.exe:Rhapsody Media Player
"{A4CBC2F2-84E5-4D41-948E-A46D4FE553D6}"= UDP:c:\program files\Microsoft Games\Zoo Tycoon 2\zt.exe:Zoo Tycoon 2 Executable
"{FCA025DD-D63C-4790-92A5-F9CCB90A2DC9}"= TCP:c:\program files\Microsoft Games\Zoo Tycoon 2\zt.exe:Zoo Tycoon 2 Executable
"{46E63CFC-6DB1-4CAC-959F-F0BB81AE43FF}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C11A3D50-F5E2-4A73-8806-65927198ACF0}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{11C50D32-1B1A-430C-9EB5-DE251A6D5691}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{67633E6A-5648-43B4-AB44-A3D79FD36D34}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-12-09 13088]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-12-25 24652]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2007-08-16 189704]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2007-11-29 29744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7bf771a-ef47-11dd-bb5b-001d09afda03}]
\shell\AutoRun\command - .\MigWiz\migsetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-22 c:\windows\Tasks\CAAntiSpywareScan_Daily as Dad at 7 24 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-16 22:10]

2009-03-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1296082034-130973300-2530275850-1000.job
- c:\users\Dad\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-04 21:44]

2009-03-13 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2008-01-09 04:08]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Lsass Service - c:\users\Dad\AppData\Roaming\Microsoft\Windows\lsass.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL
HKLM-Run-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://my2.freeze.com/?AcquisitionID=1356c528-0c89-4777-ad6c-e1d509e16350&s=&ipc=
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZKman000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
FF - ProfilePath - c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\grfm390l.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://my2.freeze.com/?AcquisitionID=1356c528-0c89-4777-ad6c-e1d509e16350&s=&ipc=
FF - component: c:\program files\GamingSquared\Gaming2\FF_v1042\components\G2FF_v1042.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Dad\AppData\Local\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 10:26:27
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(568)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'Explorer.exe'(3696)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
c:\users\Dad\AppData\Local\Bcomal.dll
c:\users\Dad\AppData\Local\ekuperulazexizux.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\Boingo\GoBoingo\GoBoingo.exe
c:\windows\System32\rundll32.exe
c:\program files\Dell\QuickSet\quickset.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
c:\program files\CA\CA Internet Security Suite\ccprovsp.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-03-14 10:33:58 - machine was rebooted [Dad]
ComboFix-quarantined-files.txt 2009-03-14 14:33:36

Pre-Run: 18,128,211,968 bytes free
Post-Run: 17,985,196,032 bytes free

378 --- E O F --- 2009-03-12 19:45:29

[Ried]

Quote:

Oh is 22,000 a record?

I would venture to say 'yes' and I don't think that would be 'going out on a limb' to claim that.

I can't believe your system would even run, to be honest. And I also don't mind tell you that without ComboFix, you would likely have been looking at t reformat. No other tool would have been able to do what ComboFix just did, and you have the author of the tool to thank for that.

On with the fix...

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/secu...ml#post2021778

Collect::
c:\users\Dad\AppData\Local\Bcomal.dll
c:\users\Dad\AppData\Local\ekuperulazexizux.dll

File::
c:\windows\Tasks\Norton Security Scan.job

DDS::
IE: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZKman000

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

---------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior

*you should no longer have the 'error loading c:/progra~1\myweb~1\bar\1.bin\msplugin.DLL' message. Please let me know if you do.

[Derwood1]

Ok system continues to run much better then before I did not get the same dll error as before. I did get 2 other "Run DLL" errors as Combofix was preparing its report:

Error loading C:/users\Dad\AppData\Local\Bcomal.dll
The specified module could not be found
and
Error loading C:/users\Dad\AppData\Local\ekuperulazexizux.dll
The specified module could not be found

here are the logs:

ComboFix 09-03-13.02 - Dad 2009-03-14 13:21:51.3 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.893.256 [GMT -4:00]
Running from: c:\users\Dad\Desktop\ComboFix.exe
Command switches used :: c:\users\Dad\Desktop\CFScript.txt
AV: CA Anti-Virus *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\Tasks\Norton Security Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Dad\AppData\Local\Bcomal.dll
c:\users\Dad\AppData\Local\ekuperulazexizux.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.

2009-03-13 12:46 . 2009-03-13 12:46 <DIR> d-------- c:\users\All Users\WindowsSearch
2009-03-13 12:46 . 2009-03-13 12:46 <DIR> d-------- c:\programdata\WindowsSearch
2009-03-13 03:02 . 2009-03-13 03:02 <DIR> d-------- C:\e60a561d6b73ab1288fc5679b0534a
2009-03-12 14:36 . 2008-12-15 23:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-12 14:36 . 2008-12-16 01:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-12 14:36 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-12 14:36 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\dxmasf.dll
2009-03-12 14:35 . 2008-11-27 00:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-12 14:34 . 2009-02-08 23:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-01 13:16 . 2009-03-01 13:16 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-02-24 04:04 . 2008-05-27 01:18 231,936 --a------ c:\windows\System32\msshsq.dll
2009-02-24 04:04 . 2008-05-27 00:59 106,605 --a------ c:\windows\System32\StructuredQuerySchema.bin
2009-02-24 04:04 . 2008-05-27 01:17 87,552 --a------ c:\windows\System32\SearchFilterHost.exe
2009-02-24 04:04 . 2008-05-27 01:17 87,552 --a------ c:\windows\System32\mssitlb.dll
2009-02-24 04:04 . 2008-05-27 01:18 71,680 --a------ c:\windows\System32\propdefs.dll
2009-02-24 04:04 . 2008-05-27 01:18 44,032 --a------ c:\windows\System32\msstrc.dll
2009-02-24 04:04 . 2008-05-27 01:17 34,816 --a------ c:\windows\System32\msscb.dll
2009-02-24 04:04 . 2008-05-27 00:59 18,904 --a------ c:\windows\System32\StructuredQuerySchemaTrivial.bin
2009-02-24 04:04 . 2008-05-27 01:17 11,776 --a------ c:\windows\System32\msshooks.dll
2009-02-23 20:12 . 2008-04-26 04:26 891,448 --a------ c:\windows\System32\drivers\tcpip.sys
2009-02-22 19:23 . 2009-02-22 19:23 <DIR> d-------- C:\PerfLogs
2009-02-21 23:50 . 2008-06-19 21:18 781,344 --a------ c:\windows\System32\PresentationNative_v0300.dll
2009-02-21 23:50 . 2008-06-19 21:17 622,080 --a------ c:\windows\System32\icardagt.exe
2009-02-21 23:50 . 2008-06-19 21:18 105,016 --a------ c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2009-02-21 23:50 . 2008-06-19 21:17 97,800 --a------ c:\windows\System32\infocardapi.dll
2009-02-21 23:50 . 2008-06-19 21:18 43,544 --a------ c:\windows\System32\PresentationHostProxy.dll
2009-02-21 23:50 . 2008-06-19 21:17 37,384 --a------ c:\windows\System32\infocardcpl.cpl
2009-02-21 23:50 . 2008-06-19 21:17 11,264 --a------ c:\windows\System32\icardres.dll
2009-02-21 23:49 . 2008-06-19 21:18 326,160 --a------ c:\windows\System32\PresentationHost.exe
2009-02-21 23:47 . 2009-02-21 23:49 37,765,120 --a------ c:\windows\ocsetup_install_NetFx3.etl
2009-02-21 23:47 . 2009-02-21 23:49 32,768 --a------ c:\windows\ocsetup_cbs_install_NetFx3.perf
2009-02-21 23:47 . 2009-02-21 23:49 16,384 --a------ c:\windows\ocsetup_cbs_install_NetFx3.dpx
2009-02-21 23:33 . 2008-07-27 14:00 282,112 --a------ c:\windows\System32\mscoree.dll
2009-02-21 23:33 . 2008-07-27 14:00 158,720 --a------ c:\windows\System32\mscorier.dll
2009-02-21 23:33 . 2008-07-27 14:00 96,760 --a------ c:\windows\System32\dfshim.dll
2009-02-21 23:33 . 2008-07-27 14:00 41,984 --a------ c:\windows\System32\netfxperf.dll
2009-02-21 23:32 . 2008-07-27 14:00 83,968 --a------ c:\windows\System32\mscories.dll
2009-02-21 20:28 . 2009-02-21 20:27 880,560 --a------ c:\windows\System32\drivers\vetefile.sys
2009-02-21 20:28 . 2009-02-21 20:27 108,368 --a------ c:\windows\System32\drivers\veteboot.sys
2009-02-21 20:24 . 2007-08-20 14:37 99,592 --a------ c:\windows\System32\isafeif.dll
2009-02-21 20:24 . 2007-08-20 14:26 79,424 --a------ c:\windows\System32\vetredir.dll
2009-02-21 20:24 . 2007-08-20 14:37 75,016 --a------ c:\windows\System32\isafprod.dll
2009-02-21 20:24 . 2007-08-20 14:38 32,264 --a------ c:\windows\System32\drivers\vetmonnt.sys
2009-02-21 20:24 . 2007-08-20 14:38 26,376 --a------ c:\windows\System32\drivers\vet-filt.sys
2009-02-21 20:24 . 2007-08-20 14:38 21,512 --a------ c:\windows\System32\drivers\vetfddnt.sys
2009-02-21 20:24 . 2007-08-20 14:38 21,128 --a------ c:\windows\System32\drivers\vet-rec.sys
2009-02-21 20:23 . 2009-02-21 20:25 <DIR> d-------- c:\users\All Users\CA
2009-02-21 20:23 . 2009-02-21 20:25 <DIR> d-------- c:\programdata\CA
2009-02-21 20:23 . 2009-02-21 20:23 <DIR> d-------- c:\program files\Common Files\Scanner
2009-02-21 20:23 . 2009-02-21 20:23 <DIR> d-------- c:\program files\CA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-14 16:52 --------- d-----w c:\program files\Google
2009-03-14 16:38 --------- d-----w c:\program files\Yahoo!
2009-03-14 15:18 --------- d-----w c:\program files\Norton Security Scan
2009-03-14 15:17 --------- d-----w c:\programdata\Symantec
2009-03-13 15:24 --------- d-----w c:\program files\Windows Mail
2009-02-28 05:03 --------- d-----w c:\users\Dad\AppData\Roaming\mIRC
2009-02-23 00:33 174 --sha-w c:\program files\desktop.ini
2009-02-22 23:25 --------- d-----w c:\program files\Windows Sidebar
2009-02-22 23:25 --------- d-----w c:\program files\Windows Photo Gallery
2009-02-22 23:25 --------- d-----w c:\program files\Windows Defender
2009-02-22 23:25 --------- d-----w c:\program files\Windows Collaboration
2009-02-22 23:25 --------- d-----w c:\program files\Windows Calendar
2009-02-22 21:39 82,432 ----a-w c:\windows\System32\axaltocm.dll
2009-02-22 21:39 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2009-01-31 19:37 --------- d-----w c:\users\Dad\AppData\Roaming\Intuit
2009-01-31 18:38 --------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-01-31 18:29 --------- d-----w c:\programdata\Intuit
2009-01-31 18:28 --------- d-----w c:\program files\Common Files\Intuit
2009-01-31 18:24 --------- d-----w c:\program files\TurboTax
2009-01-20 01:23 --------- d-----w c:\users\Courtney\AppData\Roaming\Apple Computer
2009-01-17 16:36 --------- d-----w c:\program files\IMVU
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2009-01-14 21:48 6 ----a-w c:\windows\Fonts\wfonts.key
2008-11-21 19:59 170 ----a-w c:\users\Dad\AppData\Roaming\wklnhst.dat
2008-05-20 03:37 750 ----a-w c:\users\Courtney\AppData\Roaming\wklnhst.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-14_ 2.15.23.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-14 06:04:25 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-03-14 17:27:28 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-03-14 06:04:25 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-03-14 17:27:28 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-03-14 06:07:24 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
+ 2009-03-14 17:28:21 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
- 2009-03-14 06:07:18 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2009-03-14 17:28:21 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
- 2009-03-14 03:27:19 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-03-14 14:29:16 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-03-14 03:27:19 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-14 14:29:16 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-14 03:27:19 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-03-14 14:29:16 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-03-14 03:17:35 101,350 ----a-w c:\windows\System32\perfc009.dat
+ 2009-03-14 16:56:58 101,350 ----a-w c:\windows\System32\perfc009.dat
- 2009-03-14 03:17:35 595,684 ----a-w c:\windows\System32\perfh009.dat
+ 2009-03-14 16:56:58 595,684 ----a-w c:\windows\System32\perfh009.dat
- 2009-03-14 06:07:44 6,686 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1296082034-130973300-2530275850-1000_UserData.bin
+ 2009-03-14 17:29:38 7,106 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1296082034-130973300-2530275850-1000_UserData.bin
- 2009-03-14 06:07:44 57,544 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-03-14 17:29:38 57,576 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-03-13 23:39:40 5,550 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-03-14 16:51:18 5,550 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2009-03-14 06:07:44 38,536 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-03-14 17:29:35 39,398 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-03-14 02:54:08 241,530 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-03-14 16:19:18 242,116 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{971F630E-AD68-4d6e-B0C3-1C627AAC80F1}]
2008-03-03 19:26 635392 --a------ c:\program files\GamingSquared\Gaming2\G2IE_v1042.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-20 815104]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-11 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-21 1540096]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384]
"G2"="c:\program files\GamingSquared\Gaming2\G2.exe" [2008-03-03 1215664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"GoBoingo"="c:\program files\Boingo\GoBoingo\GoBoingo.lnk" [2008-06-06 1804]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-02-21 177392]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 230664]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 c:\windows\sttray.exe]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-11-29 50688]
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-11-29 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\startupfolder\C:^Users^Dad^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMVU.lnk
backup=c:\windows\pss\IMVU.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-01-28 21:42 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5836706E-92F7-48FB-8972-E72EEFDBB673}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{E4331A4F-508E-4AD7-8F2B-95F224A2FC9E}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{B4943228-6E38-4FC0-97B3-44A927F197FE}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{84C38EC2-DA63-4069-871D-A58B6F9BD074}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"TCP Query User{FA76C633-0BD3-4181-9EB4-0B04EEB80D44}c:\\program files\\mirc\\mirc.exe"= UDP:c:\program files\mirc\mirc.exe:mIRC
"UDP Query User{96E9E4A0-424B-4F98-B868-A56A815FC9F4}c:\\program files\\mirc\\mirc.exe"= TCP:c:\program files\mirc\mirc.exe:mIRC
"TCP Query User{9649797A-D207-4AE8-86F1-13F577C2244F}c:\\program files\\mirc\\mirc.exe"= UDP:c:\program files\mirc\mirc.exe:mIRC
"UDP Query User{CCA18580-EB25-4D58-9F72-CBDDB7C0EC32}c:\\program files\\mirc\\mirc.exe"= TCP:c:\program files\mirc\mirc.exe:mIRC
"{FD13E65D-B49E-4C88-B04C-160167930815}"= UDP:c:\program files\V CAST Music with Rhapsody\rhapsody.exe:Rhapsody Media Player
"{B8347549-D977-41AE-ACD3-00CB4E3D0761}"= TCP:c:\program files\V CAST Music with Rhapsody\rhapsody.exe:Rhapsody Media Player
"{A4CBC2F2-84E5-4D41-948E-A46D4FE553D6}"= UDP:c:\program files\Microsoft Games\Zoo Tycoon 2\zt.exe:Zoo Tycoon 2 Executable
"{FCA025DD-D63C-4790-92A5-F9CCB90A2DC9}"= TCP:c:\program files\Microsoft Games\Zoo Tycoon 2\zt.exe:Zoo Tycoon 2 Executable
"{46E63CFC-6DB1-4CAC-959F-F0BB81AE43FF}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C11A3D50-F5E2-4A73-8806-65927198ACF0}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{11C50D32-1B1A-430C-9EB5-DE251A6D5691}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{67633E6A-5648-43B4-AB44-A3D79FD36D34}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-12-09 13088]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-12-25 24652]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2007-08-16 189704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7bf771a-ef47-11dd-bb5b-001d09afda03}]
\shell\AutoRun\command - .\MigWiz\migsetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-22 c:\windows\Tasks\CAAntiSpywareScan_Daily as Dad at 7 24 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-16 22:10]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Nhivihi - c:\users\Dad\AppData\Local\Bcomal.dll
HKCU-Run-Uqaha - c:\users\Dad\AppData\Local\ekuperulazexizux.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://my2.freeze.com/?AcquisitionID=1356c528-0c89-4777-ad6c-e1d509e16350&s=&ipc=
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
FF - ProfilePath - c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\grfm390l.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://my2.freeze.com/?AcquisitionID=1356c528-0c89-4777-ad6c-e1d509e16350&s=&ipc=
FF - component: c:\program files\GamingSquared\Gaming2\FF_v1042\components\G2FF_v1042.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 13:28:30
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\Boingo\GoBoingo\GoBoingo.exe
c:\program files\Dell\QuickSet\quickset.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\CA\CA Internet Security Suite\ccprovsp.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-03-14 13:34:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-14 17:34:48
ComboFix2.txt 2009-03-14 14:33:59

Pre-Run: 19,269,816,320 bytes free
Post-Run: 19,136,311,296 bytes free

283 --- E O F --- 2009-03-12 19:45:29


Oh jeez I just tried to copy the Kaspersky Report and it does not show up on the desktop which is where I saved it. I tried it multiple times in different places, each time I went to save it showed the previous attempts but when I tried to open them to copy the report they do not show up. I just started another scan but whose to say that won't happen again...any ideas?

[Derwood1]

Well I saved it to an external drive and that worked....whew!

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, March 14, 2009
Operating System: Microsoft Windows Vista Home Basic Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, March 14, 2009 22:44:29
Records in database: 1903311
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 112926
Threat name: 12
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 01:29:33


File name / Threat name / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.632 1
C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\msimg32.dll.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.cg 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.cg 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ax 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.cl 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.cc 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ci 1
C:\Qoobox\Quarantine\C\Program Files\Zumie\zopt.exe.vir Infected: not-a-virus:AdWare.Win32.OneStep.p 1
C:\Qoobox\Quarantine\C\Users\Dad\AppData\Roaming\Microsoft\Windows\lsass.exe.vir Infected: Trojan.Win32.Obfuscated.abfe 1
C:\Qoobox\Quarantine\[4]-Submit_2009-03-14@13.21.zip Infected: Trojan.Win32.Buzus.aphb 1
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\ms86.exe Infected: Trojan.Win32.Buzus.apbr 1

The selected area was scanned.

[Ried]

Hi Derwood1,

Quote:

2 other "Run DLL" errors as Combofix was preparing its report

Combofix wasn't quite finished at that point. Those errors will be gone now.

One more to take care of. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/355769-malware-help-please-post2022580.html#post2022580

Collect::
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\ms86.exe

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

---------------------------------------------------------------------

Post the ComboFix.txt in your next reply please.

[Derwood1]

ComboFix 09-03-13.02 - Dad 2009-03-14 2134.4 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.893.275 [GMT -4:00]
Running from: c:\users\Dad\Desktop\ComboFix.exe
Command switches used :: c:\users\Dad\Desktop\CFScript.txt
AV: CA Anti-Virus *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Dad\AppData\Roaming\Microsoft\Windows\ms86.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))))
.

2009-03-13 12:46 . 2009-03-13 12:46 <DIR> d-------- c:\users\All Users\WindowsSearch
2009-03-13 12:46 . 2009-03-13 12:46 <DIR> d-------- c:\programdata\WindowsSearch
2009-03-13 03:02 . 2009-03-13 03:02 <DIR> d-------- C:\e60a561d6b73ab1288fc5679b0534a
2009-03-12 14:36 . 2008-12-15 23:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-12 14:36 . 2008-12-16 01:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-12 14:36 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-12 14:36 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\dxmasf.dll
2009-03-12 14:35 . 2008-11-27 00:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-12 14:34 . 2009-02-08 23:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-01 13:16 . 2009-03-01 13:16 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-02-24 04:04 . 2008-05-27 01:18 231,936 --a------ c:\windows\System32\msshsq.dll
2009-02-24 04:04 . 2008-05-27 00:59 106,605 --a------ c:\windows\System32\StructuredQuerySchema.bin
2009-02-24 04:04 . 2008-05-27 01:17 87,552 --a------ c:\windows\System32\SearchFilterHost.exe
2009-02-24 04:04 . 2008-05-27 01:17 87,552 --a------ c:\windows\System32\mssitlb.dll
2009-02-24 04:04 . 2008-05-27 01:18 71,680 --a------ c:\windows\System32\propdefs.dll
2009-02-24 04:04 . 2008-05-27 01:18 44,032 --a------ c:\windows\System32\msstrc.dll
2009-02-24 04:04 . 2008-05-27 01:17 34,816 --a------ c:\windows\System32\msscb.dll
2009-02-24 04:04 . 2008-05-27 00:59 18,904 --a------ c:\windows\System32\StructuredQuerySchemaTrivial.bin
2009-02-24 04:04 . 2008-05-27 01:17 11,776 --a------ c:\windows\System32\msshooks.dll
2009-02-23 20:12 . 2008-04-26 04:26 891,448 --a------ c:\windows\System32\drivers\tcpip.sys
2009-02-22 19:23 . 2009-02-22 19:23 <DIR> d-------- C:\PerfLogs
2009-02-21 23:50 . 2008-06-19 21:18 781,344 --a------ c:\windows\System32\PresentationNative_v0300.dll
2009-02-21 23:50 . 2008-06-19 21:17 622,080 --a------ c:\windows\System32\icardagt.exe
2009-02-21 23:50 . 2008-06-19 21:18 105,016 --a------ c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2009-02-21 23:50 . 2008-06-19 21:17 97,800 --a------ c:\windows\System32\infocardapi.dll
2009-02-21 23:50 . 2008-06-19 21:18 43,544 --a------ c:\windows\System32\PresentationHostProxy.dll
2009-02-21 23:50 . 2008-06-19 21:17 37,384 --a------ c:\windows\System32\infocardcpl.cpl
2009-02-21 23:50 . 2008-06-19 21:17 11,264 --a------ c:\windows\System32\icardres.dll
2009-02-21 23:49 . 2008-06-19 21:18 326,160 --a------ c:\windows\System32\PresentationHost.exe
2009-02-21 23:47 . 2009-02-21 23:49 37,765,120 --a------ c:\windows\ocsetup_install_NetFx3.etl
2009-02-21 23:47 . 2009-02-21 23:49 32,768 --a------ c:\windows\ocsetup_cbs_install_NetFx3.perf
2009-02-21 23:47 . 2009-02-21 23:49 16,384 --a------ c:\windows\ocsetup_cbs_install_NetFx3.dpx
2009-02-21 23:33 . 2008-07-27 14:00 282,112 --a------ c:\windows\System32\mscoree.dll
2009-02-21 23:33 . 2008-07-27 14:00 158,720 --a------ c:\windows\System32\mscorier.dll
2009-02-21 23:33 . 2008-07-27 14:00 96,760 --a------ c:\windows\System32\dfshim.dll
2009-02-21 23:33 . 2008-07-27 14:00 41,984 --a------ c:\windows\System32\netfxperf.dll
2009-02-21 23:32 . 2008-07-27 14:00 83,968 --a------ c:\windows\System32\mscories.dll
2009-02-21 20:28 . 2009-02-21 20:27 880,560 --a------ c:\windows\System32\drivers\vetefile.sys
2009-02-21 20:28 . 2009-02-21 20:27 108,368 --a------ c:\windows\System32\drivers\veteboot.sys
2009-02-21 20:24 . 2007-08-20 14:37 99,592 --a------ c:\windows\System32\isafeif.dll
2009-02-21 20:24 . 2007-08-20 14:26 79,424 --a------ c:\windows\System32\vetredir.dll
2009-02-21 20:24 . 2007-08-20 14:37 75,016 --a------ c:\windows\System32\isafprod.dll
2009-02-21 20:24 . 2007-08-20 14:38 32,264 --a------ c:\windows\System32\drivers\vetmonnt.sys
2009-02-21 20:24 . 2007-08-20 14:38 26,376 --a------ c:\windows\System32\drivers\vet-filt.sys
2009-02-21 20:24 . 2007-08-20 14:38 21,512 --a------ c:\windows\System32\drivers\vetfddnt.sys
2009-02-21 20:24 . 2007-08-20 14:38 21,128 --a------ c:\windows\System32\drivers\vet-rec.sys
2009-02-21 20:23 . 2009-02-21 20:25 <DIR> d-------- c:\users\All Users\CA
2009-02-21 20:23 . 2009-02-21 20:25 <DIR> d-------- c:\programdata\CA
2009-02-21 20:23 . 2009-02-21 20:23 <DIR> d-------- c:\program files\Common Files\Scanner
2009-02-21 20:23 . 2009-02-21 20:23 <DIR> d-------- c:\program files\CA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-14 16:52 --------- d-----w c:\program files\Google
2009-03-14 16:38 --------- d-----w c:\program files\Yahoo!
2009-03-14 15:18 --------- d-----w c:\program files\Norton Security Scan
2009-03-14 15:17 --------- d-----w c:\programdata\Symantec
2009-03-13 15:24 --------- d-----w c:\program files\Windows Mail
2009-02-28 05:03 --------- d-----w c:\users\Dad\AppData\Roaming\mIRC
2009-02-23 00:33 174 --sha-w c:\program files\desktop.ini
2009-02-22 23:25 --------- d-----w c:\program files\Windows Sidebar
2009-02-22 23:25 --------- d-----w c:\program files\Windows Photo Gallery
2009-02-22 23:25 --------- d-----w c:\program files\Windows Defender
2009-02-22 23:25 --------- d-----w c:\program files\Windows Collaboration
2009-02-22 23:25 --------- d-----w c:\program files\Windows Calendar
2009-02-22 21:39 82,432 ----a-w c:\windows\System32\axaltocm.dll
2009-02-22 21:39 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2009-01-31 19:37 --------- d-----w c:\users\Dad\AppData\Roaming\Intuit
2009-01-31 18:38 --------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-01-31 18:29 --------- d-----w c:\programdata\Intuit
2009-01-31 18:28 --------- d-----w c:\program files\Common Files\Intuit
2009-01-31 18:24 --------- d-----w c:\program files\TurboTax
2009-01-20 01:23 --------- d-----w c:\users\Courtney\AppData\Roaming\Apple Computer
2009-01-17 16:36 --------- d-----w c:\program files\IMVU
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2009-01-14 21:48 6 ----a-w c:\windows\Fonts\wfonts.key
2008-11-21 19:59 170 ----a-w c:\users\Dad\AppData\Roaming\wklnhst.dat
2008-05-20 03:37 750 ----a-w c:\users\Courtney\AppData\Roaming\wklnhst.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-14_ 2.15.23.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-14 06:04:25 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-03-14 17:27:28 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-03-14 06:04:25 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-03-14 17:27:28 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-03-14 06:07:24 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
+ 2009-03-14 17:28:21 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
- 2009-03-14 06:07:18 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2009-03-14 17:28:21 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
- 2009-03-14 03:27:19 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-03-14 14:29:16 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-03-14 03:27:19 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-14 14:29:16 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-14 03:27:19 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-03-14 14:29:16 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-03-14 03:17:35 101,350 ----a-w c:\windows\System32\perfc009.dat
+ 2009-03-15 00:02:39 101,350 ----a-w c:\windows\System32\perfc009.dat
- 2009-03-14 03:17:35 595,684 ----a-w c:\windows\System32\perfh009.dat
+ 2009-03-15 00:02:39 595,684 ----a-w c:\windows\System32\perfh009.dat
- 2009-03-14 06:07:44 6,686 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1296082034-130973300-2530275850-1000_UserData.bin
+ 2009-03-14 17:29:38 7,106 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1296082034-130973300-2530275850-1000_UserData.bin
- 2009-03-14 06:07:44 57,544 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-03-14 17:29:38 57,576 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-03-13 23:39:40 5,550 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-03-14 16:51:18 5,550 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2009-03-14 06:07:44 38,536 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-03-14 17:29:35 39,398 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-03-14 02:54:08 241,530 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-03-15 00:59:48 242,116 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{971F630E-AD68-4d6e-B0C3-1C627AAC80F1}]
2008-03-03 19:26 635392 --a------ c:\program files\GamingSquared\Gaming2\G2IE_v1042.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-28 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-20 815104]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-11 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-21 1540096]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384]
"G2"="c:\program files\GamingSquared\Gaming2\G2.exe" [2008-03-03 1215664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"GoBoingo"="c:\program files\Boingo\GoBoingo\GoBoingo.lnk" [2008-06-06 1804]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-02-21 177392]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 230664]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 c:\windows\sttray.exe]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-11-29 50688]
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-11-29 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\startupfolder\C:^Users^Dad^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMVU.lnk
backup=c:\windows\pss\IMVU.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-01-28 21:42 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5836706E-92F7-48FB-8972-E72EEFDBB673}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{E4331A4F-508E-4AD7-8F2B-95F224A2FC9E}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{B4943228-6E38-4FC0-97B3-44A927F197FE}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{84C38EC2-DA63-4069-871D-A58B6F9BD074}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"TCP Query User{FA76C633-0BD3-4181-9EB4-0B04EEB80D44}c:\\program files\\mirc\\mirc.exe"= UDP:c:\program files\mirc\mirc.exe:mIRC
"UDP Query User{96E9E4A0-424B-4F98-B868-A56A815FC9F4}c:\\program files\\mirc\\mirc.exe"= TCP:c:\program files\mirc\mirc.exe:mIRC
"TCP Query User{9649797A-D207-4AE8-86F1-13F577C2244F}c:\\program files\\mirc\\mirc.exe"= UDP:c:\program files\mirc\mirc.exe:mIRC
"UDP Query User{CCA18580-EB25-4D58-9F72-CBDDB7C0EC32}c:\\program files\\mirc\\mirc.exe"= TCP:c:\program files\mirc\mirc.exe:mIRC
"{FD13E65D-B49E-4C88-B04C-160167930815}"= UDP:c:\program files\V CAST Music with Rhapsody\rhapsody.exe:Rhapsody Media Player
"{B8347549-D977-41AE-ACD3-00CB4E3D0761}"= TCP:c:\program files\V CAST Music with Rhapsody\rhapsody.exe:Rhapsody Media Player
"{A4CBC2F2-84E5-4D41-948E-A46D4FE553D6}"= UDP:c:\program files\Microsoft Games\Zoo Tycoon 2\zt.exe:Zoo Tycoon 2 Executable
"{FCA025DD-D63C-4790-92A5-F9CCB90A2DC9}"= TCP:c:\program files\Microsoft Games\Zoo Tycoon 2\zt.exe:Zoo Tycoon 2 Executable
"{46E63CFC-6DB1-4CAC-959F-F0BB81AE43FF}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C11A3D50-F5E2-4A73-8806-65927198ACF0}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{11C50D32-1B1A-430C-9EB5-DE251A6D5691}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{67633E6A-5648-43B4-AB44-A3D79FD36D34}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-12-09 13088]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-12-25 24652]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2007-08-16 189704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7bf771a-ef47-11dd-bb5b-001d09afda03}]
\shell\AutoRun\command - .\MigWiz\migsetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-22 c:\windows\Tasks\CAAntiSpywareScan_Daily as Dad at 7 24 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-16 22:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my2.freeze.com/?AcquisitionID=1356c528-0c89-4777-ad6c-e1d509e16350&s=&ipc=
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
FF - ProfilePath - c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\grfm390l.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://my2.freeze.com/?AcquisitionID=1356c528-0c89-4777-ad6c-e1d509e16350&s=&ipc=
FF - component: c:\program files\GamingSquared\Gaming2\FF_v1042\components\G2FF_v1042.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 21:11:00
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
.
Completion time: 2009-03-14 21:13:29
ComboFix-quarantined-files.txt 2009-03-15 01:13:26
ComboFix2.txt 2009-03-14 17:34:57
ComboFix3.txt 2009-03-14 14:33:59

Pre-Run: 18,846,093,312 bytes free
Post-Run: 18,678,378,496 bytes free

253 --- E O F --- 2009-03-12 19:45:29

[Ried]

Files have all been receive, thank you.

The remainder of the Kaspersky findings are backups created during the course of this fix which will be taken care of momentarily.


Your logs are clean, and believe me, you have the author of ComboFix to thank for that. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

Vista UAC does protect

Think Prevention


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

[Derwood1]

Ried, Thank you very much!!!!

You guys rock and I am grateful to the author of ComboFix. I can tell this thing is running like it should and I will comply with the suggestions above.

Once again thanks and I consider this done!!

[Ried]

You're welcome, Derwood1.

Take care and surf safely.