Going to reformat unless help arrives

[rspatch]

I picked up something/s kinda nasty along the way. When I first boot up I get MULTIPLE windows from symantec stating "scanning message" starting in the lower right corner of the screen. Then another window in the center of the screen, also from symantec, telling me either "the connection to server failed, email unable to be sent", or "connection to server has failed". these windows appear and reappear as I keep closing them. After about a hundred of these pop ups, they just seem to stop, and I left with about 40 to 50 envelope icons in my task bar, which go away by just running the mouse over them. When those are gone you would never know I had a problem. I no longer see them until I reboot. When this first started I was also getting multiple web pages appearing (that I wasn't opening) and I was also getting a window stating I needed to update one of my Adobe products. (wasn't sure if that one was legitimate)? After running multiple spyware products I seem to have gotten rid of the last two issues and am only left with the email problem. I was thinking it was about time to reformat and start with a clean slate but just not ready to take on that task again.
Any help would be appreciated.
I almost forgot, I am getting a lot of various apps "encoutered a problem and needs to close" windows. Nt sure if related.
I am running xp pro, service pack 3 with symantec antivirus, ( I do an update and virus scan once a week)


DDS (Ver_09-06-26.01) - NTFSx86
Run by Rick at 23:20:06.39 on Tue 06/30/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1181 [GMT -7:00]

AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Documents and Settings\Rick\obrfkm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
"C:\WINDOWS\system32\svchost.exe"
"C:\WINDOWS\system32\svchost.exe"
"C:\WINDOWS\system32\svchost.exe"
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\sttray.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Rick\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\rick\obrfkm.exe \s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: IEHlprObjClass: {ce7c3cf0-4b15-11d1-abed-709549c10000} - c:\program files\kensington\mouseworks\IE_KMW.DLL
BHO: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus Photo RX580 Series] "c:\windows\system32\spool\drivers\w32x86\3\e_fatibpa.exe" /fu "c:\docume~1\rick\locals~1\temp\E_SE.tmp" /EF "HKCU"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ColdWare] "c:\windows\msb.exe"
uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe"
uRunOnce: [Shockwave Updater] "c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE" -Update -1103472 -"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10" -"http://www.iwon.com/modules/launchGame/games/includes/blockDotGameIFrame.jhtml?categoryId=1&gameId=531&browser=FF"
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /install
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] "sttray.exe"
mRun: [kmw_run.exe] kmw_run.exe
mRun: [<NO NAME>]
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] "c:\progra~1\symant~1\VPTray.exe"
mRun: [Ad-Watch] "c:\program files\lavasoft\ad-aware\AAWTray.exe"
mRun: [eimq] "c:\windows\system32\eimq.exe" \u
mRun: [MSWheel]
StartupFolder: c:\docume~1\rick\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\e_spsu01.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SPSU01.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SubSystems: Windows = baselid32

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rick\applic~1\mozilla\firefox\profiles\z1aylvvj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com/
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-5 64160]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-21 29808]
R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2009-2-27 11264]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-6-9 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-6-9 242808]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-16 210216]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-8-2 1267024]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-4-21 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-6-25 1205760]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090627.006\naveng.sys [2009-6-28 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090627.006\navex15.sys [2009-6-28 876144]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-6-9 87160]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-11-18 7808]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-8-2 173392]

=============== Created Last 30 ================

2009-06-29 18:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
2009-06-29 18:02 <DIR> --d----- c:\program files\PC Drivers HeadQuarters
2009-06-29 17:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DriverScanner
2009-06-29 17:27 <DIR> --d----- c:\program files\Uniblue
2009-06-29 17:27 <DIR> --d----- c:\docume~1\rick\applic~1\Uniblue
2009-06-29 17:26 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-06-27 09:22 <DIR> --d----- c:\program files\common files\Real
2009-06-27 09:20 <DIR> --d----- c:\program files\V CAST Music with Rhapsody
2009-06-27 09:12 <DIR> --d----- c:\program files\LG Electronics
2009-06-27 03:01 <DIR> --d----- c:\program files\MSXML 4.0
2009-06-26 08:05 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-26 08:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-26 07:41 <DIR> --d----- c:\program files\SpyZooka
2009-06-26 07:40 <DIR> --d----- c:\docume~1\rick\applic~1\GetRightToGo
2009-06-25 17:34 <DIR> --d----- c:\program files\Ask.com
2009-06-25 17:33 <DIR> --d----- c:\program files\MSSOAP
2009-06-25 17:31 1,563,008 a------- c:\windows\WRSetup.dll
2009-06-25 17:31 <DIR> --d----- c:\docume~1\rick\applic~1\Webroot
2009-06-25 17:31 <DIR> --d----- c:\program files\Webroot
2009-06-25 17:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2009-06-25 17:29 164 a------- c:\windows\install.dat
2009-06-25 05:26 <DIR> --d----- c:\program files\TuneUp Utilities 2006
2009-06-25 05:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TuneUp Software
2009-06-25 05:25 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-24 09:58 29,696 a------- c:\windows\system32\eimq.exe
2009-06-24 09:58 29,696 ----h--- c:\documents and settings\rick\obrfkm.exe
2009-06-10 22:27 <DIR> --d----- c:\program files\iPod
2009-06-10 22:27 <DIR> --d----- c:\program files\iTunes
2009-06-10 22:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-10 22:01 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-03 09:14 <DIR> --d----- c:\documents and settings\rick\.thumbnails
2009-06-03 09:01 <DIR> --d----- c:\documents and settings\rick\.gimp-2.6
2009-06-03 09:01 <DIR> --d----- c:\documents and settings\rick\.gegl-0.0
2009-06-03 08:57 <DIR> --d----- c:\program files\GIMP-2.0

==================== Find3M ====================

2009-06-30 23:14 7,304 a------- c:\windows\TMP0001.TMP
2009-06-10 22:01 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-26 10:41 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-16 23:39 81,102 a------- c:\windows\system32\ffdshow.reg
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-05 10:39 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-01 11:30 3,366,912 a------- c:\windows\system32\GPhotos.scr
2009-04-28 21:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 21:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 23:21:19.62 ===============

[Ried]

Hello rspatch,

I see a lot of infections on this system. I do not see the results of the gmer scan - did you have difficulties running the tool?

As noted in our pre-posting topic...


Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  
  Click the image to enlarge it
  
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Please attach the ark.txt in your next reply

[rspatch]

Sorry about that. I thought I was to send this only if requested. Here is the text from the GMER scan. Thanks again

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-01 05:48:32
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 8A2D3D90 ZwAllocateVirtualMemory
SSDT E194B940 ZwConnectPort
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA91887E]
SSDT 8A371170 ZwCreateProcess
SSDT 8A3DC278 ZwCreateProcessEx
SSDT 8A399AA0 ZwCreateThread
SSDT 8A3D3328 ZwDeleteKey
SSDT 8A399C60 ZwDeleteValueKey
SSDT 8A386238 ZwQueueApcThread
SSDT 8A3D3710 ZwReadVirtualMemory
SSDT 8A3BC328 ZwRenameKey
SSDT 8A3871E8 ZwSetContextThread
SSDT 8A3BC510 ZwSetInformationKey
SSDT 8A3BB180 ZwSetInformationProcess
SSDT 8A385FA8 ZwSetInformationThread
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA918BFE]
SSDT 8A3D6538 ZwSuspendProcess
SSDT 8A2D3B08 ZwSuspendThread
SSDT 8A370020 ZwTerminateProcess
SSDT 8A373258 ZwTerminateThread
SSDT 8A2D3D18 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \Driver\Tcpip \Device\Ip 8A3540D8
Device \Driver\Tcpip \Device\Ip 8A2374D8
Device \Driver\Tcpip \Device\Ip 8A0ABD60
Device \Driver\Tcpip \Device\Ip 89A780C8
Device \Driver\Tcpip \Device\Ip 89B200C8
Device \Driver\Tcpip \Device\Ip 89C9D068
Device \Driver\Tcpip \Device\Ip 8A12C6E0

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\Tcp 8A3540D8
Device \Driver\Tcpip \Device\Tcp 8A2374D8
Device \Driver\Tcpip \Device\Tcp 8A0ABD60
Device \Driver\Tcpip \Device\Tcp 89A780C8
Device \Driver\Tcpip \Device\Tcp 89B200C8
Device \Driver\Tcpip \Device\Tcp 89C9D068
Device \Driver\Tcpip \Device\Tcp 8A12C6E0

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\Udp 8A3540D8
Device \Driver\Tcpip \Device\Udp 8A2374D8
Device \Driver\Tcpip \Device\Udp 8A0ABD60
Device \Driver\Tcpip \Device\Udp 89A780C8
Device \Driver\Tcpip \Device\Udp 89B200C8
Device \Driver\Tcpip \Device\Udp 89C9D068
Device \Driver\Tcpip \Device\Udp 8A12C6E0

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\RawIp 8A3540D8
Device \Driver\Tcpip \Device\RawIp 8A2374D8
Device \Driver\Tcpip \Device\RawIp 8A0ABD60
Device \Driver\Tcpip \Device\RawIp 89A780C8
Device \Driver\Tcpip \Device\RawIp 89B200C8
Device \Driver\Tcpip \Device\RawIp 89C9D068
Device \Driver\Tcpip \Device\RawIp 8A12C6E0

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\IPMULTICAST 8A3540D8
Device \Driver\Tcpip \Device\IPMULTICAST 8A2374D8
Device \Driver\Tcpip \Device\IPMULTICAST 8A0ABD60
Device \Driver\Tcpip \Device\IPMULTICAST 89A780C8
Device \Driver\Tcpip \Device\IPMULTICAST 89B200C8
Device \Driver\Tcpip \Device\IPMULTICAST 89C9D068
Device \Driver\Tcpip \Device\IPMULTICAST 8A12C6E0

AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

[Ried]

Thanks, rspatch. :-)

Before we do anything, I need you to uninstall one of your onboard AV's. I see Webroot AntiVirus with AntiSpyware and Symantec AntiVirus Corporate Edition. It's never a good idea to have more than 1 Anti Virus installed at a given time. Doing so will cause conflicts and confusion between the AV programs as well as system instability. Please choose and run only 1 and uninstall the other via the Add/Remove Programs in the Control Panel.

After you've done the above...

It will require more than one round to properly clean your system. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.


====================================================


Double click on combofix.exe & follow the prompts.

• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

[rspatch]

OK I ran Combofix. It gave me warnings that Symantec Auto-Protect was on, despite turning off all the auto-protects. Anyway, Here's the Combofix log. Hope it helps. Thanks again
Spatch

ComboFix 09-07-04.05 - Rick 07/05/2009 6:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1204 [GMT -7:00]
Running from: c:\documents and settings\Rick\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Rick\obrfkm.exe
c:\windows\system32\baselid32.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-05 to 2009-07-05 )))))))))))))))))))))))))))))))
.

2009-07-03 04:20 . 2009-07-03 04:20 1048576 ----a-w- c:\documents and settings\Rick\Application Data\Mozilla\Firefox\Profiles\z1aylvvj.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}-trash\components\IBitCometExtension.dll
2009-07-02 06:17 . 2009-07-02 06:21 -------- d-----w- C:\rei
2009-07-02 06:16 . 2009-07-02 06:17 -------- d-----w- c:\program files\Reimage
2009-06-30 01:03 . 2009-06-30 01:03 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\PC_Drivers_Headquarters
2009-06-30 01:02 . 2009-06-30 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-06-30 01:02 . 2009-06-30 01:02 -------- d-----w- c:\program files\PC Drivers HeadQuarters
2009-06-30 00:25 . 2006-12-01 20:54 626688 -c--a-w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\b2rg91xw.1p4\msvcr80.dll
2009-06-27 16:22 . 2009-06-27 16:23 -------- d-----w- c:\program files\Common Files\Real
2009-06-27 16:20 . 2009-06-27 16:22 -------- d-----w- c:\program files\V CAST Music with Rhapsody
2009-06-27 16:12 . 2009-06-27 16:12 -------- d-----w- c:\program files\LG Electronics
2009-06-27 10:01 . 2009-06-27 10:01 -------- d-----w- c:\program files\MSXML 4.0
2009-06-26 15:05 . 2009-06-26 15:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-26 15:05 . 2009-06-26 15:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-26 14:41 . 2009-07-01 05:41 -------- d-----w- c:\program files\SpyZooka
2009-06-26 14:40 . 2009-06-26 14:42 -------- d-----w- c:\documents and settings\Rick\Application Data\GetRightToGo
2009-06-26 00:42 . 2009-07-03 08:06 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\AskToolbar
2009-06-26 00:34 . 2009-06-26 00:34 -------- d-----w- c:\program files\Ask.com
2009-06-26 00:33 . 2009-06-26 00:33 -------- d-----w- c:\program files\MSSOAP
2009-06-26 00:31 . 2009-06-26 00:31 -------- d-----w- c:\program files\Webroot
2009-06-26 00:29 . 2009-06-26 00:29 164 ----a-w- c:\windows\install.dat
2009-06-25 12:26 . 2009-06-25 12:27 -------- d-----w- c:\program files\TuneUp Utilities 2006
2009-06-25 12:26 . 2009-06-25 12:26 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-06-25 12:25 . 2009-06-25 12:25 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-24 16:58 . 2009-06-24 16:58 29696 ----a-w- c:\windows\system32\eimq.exe
2009-06-23 17:41 . 2009-06-29 17:55 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-23 17:41 . 2009-06-29 17:55 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-23 17:41 . 2009-06-29 17:55 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-23 17:41 . 2009-06-29 17:55 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-23 17:41 . 2009-06-29 17:53 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-23 17:41 . 2009-06-29 17:53 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-23 17:41 . 2009-06-29 17:51 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2009-06-23 17:41 . 2009-06-29 17:50 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-23 17:41 . 2009-06-29 17:49 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-23 17:41 . 2009-06-29 17:49 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-23 17:41 . 2009-06-30 17:41 2352968 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-23 17:40 . 2009-06-30 17:41 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-23 17:40 . 2009-06-30 17:41 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-23 17:40 . 2009-06-30 17:41 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-11 05:27 . 2009-06-11 05:27 -------- d-----w- c:\program files\iPod
2009-06-11 05:27 . 2009-06-11 05:28 -------- d-----w- c:\program files\iTunes
2009-06-11 05:27 . 2009-06-11 05:28 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-11 05:13 . 2009-06-11 05:14 -------- d-----w- c:\program files\QuickTime
2009-06-11 04:58 . 2009-06-11 04:58 152576 ----a-w- c:\documents and settings\Rick\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-05 13:37 . 2008-10-17 23:10 -------- d-----w- c:\program files\Symantec AntiVirus
2009-07-05 13:34 . 2009-03-11 10:08 7304 ----a-w- c:\windows\TMP0001.TMP
2009-07-05 12:56 . 2008-07-29 06:29 -------- d-----w- c:\program files\EPSON Print CD
2009-07-04 06:57 . 2008-07-31 02:54 -------- d-----w- c:\program files\BitComet
2009-07-04 01:00 . 2009-01-24 10:03 -------- d-----w- c:\program files\Norton Security Scan
2009-06-30 00:28 . 2009-06-30 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-06-30 00:27 . 2009-06-30 00:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-06-30 00:27 . 2009-06-30 00:27 -------- d-----w- c:\program files\Uniblue
2009-06-30 00:27 . 2009-06-30 00:27 -------- d-----w- c:\documents and settings\Rick\Application Data\Uniblue
2009-06-29 17:53 . 2009-05-26 17:41 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-29 17:51 . 2009-05-26 17:41 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-29 17:51 . 2009-05-26 17:41 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-27 16:12 . 2008-07-29 06:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-24 16:36 . 2009-02-28 01:53 -------- d-----w- c:\program files\Vstplugins
2009-06-24 16:34 . 2009-02-28 01:52 -------- d-----w- c:\program files\Sony
2009-06-24 16:26 . 2009-02-28 01:49 -------- d-----w- c:\program files\Sony Setup
2009-06-11 05:27 . 2008-07-30 15:32 -------- d-----w- c:\program files\Common Files\Apple
2009-06-11 05:01 . 2008-12-09 20:09 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-03 16:14 . 2009-06-03 16:14 -------- d-----w- c:\documents and settings\Rick\Application Data\gtk-2.0
2009-06-03 15:57 . 2009-06-03 15:57 -------- d-----w- c:\program files\GIMP-2.0
2009-05-30 19:50 . 2009-05-30 19:50 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-26 17:41 . 2009-05-26 17:41 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-05-26 17:41 . 2009-05-05 20:27 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-26 00:18 . 2009-05-17 06:27 -------- d-----w- c:\program files\ffdshow
2009-05-25 03:03 . 2008-08-11 22:17 -------- d-----w- c:\documents and settings\Rick\Application Data\U3
2009-05-19 13:05 . 2009-05-19 13:05 1380403 ----a-w- c:\windows\system32\avgsdk.dll
2009-05-17 06:39 . 2009-05-17 06:38 81102 ----a-w- c:\windows\system32\ffdshow.reg
2009-05-17 06:21 . 2009-05-17 06:20 -------- d-----w- c:\documents and settings\Rick\Application Data\Media Player Classic
2009-05-17 06:19 . 2009-05-17 06:19 -------- d-----w- c:\program files\Media Player Classic
2009-05-17 06:15 . 2009-05-17 06:15 -------- d-----w- c:\program files\Belarc
2009-05-17 06:11 . 2009-05-17 06:11 -------- d-----w- c:\program files\WinDirStat
2009-05-07 15:32 . 2004-08-04 07:56 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-05 17:39 . 2009-05-05 17:40 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-05 17:39 . 2009-05-05 17:39 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-04-29 04:56 . 2004-08-04 07:56 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-04 06:17 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 07:56 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-02-09 22:06 764296 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-08-03 124232]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-30 520024]
"eimq"="c:\windows\system32\eimq.exe" [2009-06-24 29696]
"Reimage PC Booster"="c:\program files\Reimage\Reimage PC Booster\Postrebootexecuter.exe" [2009-06-23 83240]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-31 1622016]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-05-06 405504]
"kmw_run.exe"="kmw_run.exe" - c:\windows\system32\kmw_run.exe [2006-08-03 106496]

c:\documents and settings\Rick\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2008-11-25 728408]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-11-2 565309]
E_SPSU01.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SPSU01.EXE [2008-8-7 52736]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Rick^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Rick\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\V CAST Music with Rhapsody\\rhapsody.exe"=
"c:\\WINDOWS\\system32\\eimq.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26934:TCP"= 26934:TCP:BitComet 26934 TCP
"26934:UDP"= 26934:UDP:BitComet 26934 UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/5/2009 10:40 AM 64160]
R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2/27/2009 7:17 PM 11264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1029456]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/16/2009 9:38 PM 210216]
S3 cpuz128;cpuz128;\??\c:\docume~1\Rick\LOCALS~1\Temp\cpuz_x32.sys --> c:\docume~1\Rick\LOCALS~1\Temp\cpuz_x32.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [11/18/2008 6:36 AM 7808]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [8/2/2004 7:36 PM 173392]
.
Contents of the 'Scheduled Tasks' folder

2009-07-04 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2006\SystemOptimizer.exe [2005-09-22 05:35]

2009-06-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 17:49]

2009-06-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-07-04 c:\windows\Tasks\Norton Security Scan for Rick.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 12:18]

2009-07-05 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-02-09 22:06]
.
- - - - ORPHANS REMOVED - - - -

BHO-{CE7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1103472 -Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Rick\Application Data\Mozilla\Firefox\Profiles\z1aylvvj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com/
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-05 06:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3868)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\kmw_dll.dll
c:\windows\system32\WOW32.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Maxtor\OneTouch\Utils\SyncServices.exe
c:\windows\system32\nvsvc32.exe
c:\program files\SigmaTel\C-Major Audio\WDM\stacsv.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\kmw_show.exe
c:\program files\Reimage\Reimage PC Booster\reimageBooster.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\program files\Reimage\Reimage PC Booster\REI_Booster.exe
.
**************************************************************************
.
Completion time: 2009-07-05 6:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-05 13:43

Pre-Run: 190,639,525,888 bytes free
Post-Run: 190,998,470,656 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

243 --- E O F --- 2009-06-27 10:01

[Ried]

Hello rspatch,

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/390691-going-reformat-unless-help-arrives.html#post2223738

Collect::
c:\windows\system32\eimq.exe

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\eimq.exe"=-

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

---------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior

[rspatch]

Haven't given up. this Kapersky scan is taking a long time.55 minutes and I'm only at 2%. I ran it once already, when I came back to computer after a couple of hours, the Kapersky window had closed, and the computer was at the kapersky web site.
I hope I haven't done something wrong?
Will keep at it.
Thanks
Spatch

[Ried]

Hi Spatch,

Make sure you have all programs closed, especially your onboard AV and Anti Malware programs or they will slow it down considerable. Every folder and file Kaspersky is looking at, they will run to go look at too.

[rspatch]

Ok, Kaspersky ran in a little under 4 hours. Here is the log! good luck!
Thanks again
Rspatch

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, July 6, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, July 06, 2009 09:35:05
Records in database: 2431747
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
J:\

Scan statistics:
Files scanned: 112138
Threat name: 10
Infected objects: 22
Suspicious objects: 0
Duration of the scan: 03:45:36


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06840000.VBN Infected: not-a-virus:AdWare.Win32.Agent.lmz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07980000.VBN Infected: Trojan.Win32.Inject.aerj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07980002.VBN Infected: Packed.Win32.PolyCrypt.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07980003.VBN Infected: Packed.Win32.PolyCrypt.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07980004.VBN Infected: Trojan-PSW.Win32.LdPinch.cdz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07980006.VBN Infected: Trojan-Downloader.Win32.Agent.nze 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07E40000.VBN Infected: Trojan.Win32.Pakes.nnd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07E40001.VBN Infected: Trojan.Win32.Pakes.nnd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07E40002.VBN Infected: Trojan.Win32.Pakes.nnd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CC40000.VBN Infected: Trojan.Win32.Pakes.nnd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EA40001.VBN Infected: Trojan.Win32.Monderd.gen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EA40002.VBN Infected: Trojan.Win32.Monderd.gen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EA40003.VBN Infected: Trojan.Win32.Monderd.gen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EA40004.VBN Infected: Trojan.Win32.Monderd.gen 1
C:\Dowloads\keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a 2
C:\Downloads\Windows XP Professional 32-bit en-US - Black Edition v2009.4.19.iso Infected: not-a-virus:PSWTool.Win32.RAS.g 1
C:\Downloads\Windows XP Professional 32-bit en-US - Black Edition v2009.4.19.iso Infected: not-a-virus:PSWTool.Win32.RAS.a 1
C:\Downloads\WINDOWS XP SP3 - 2009 - ULTRA EDITION\GRTMPVOL_EN.iso Infected: Backdoor.Win32.Hupigon.fgvq 1
C:\System Volume Information\_restore{02391A09-845E-4CF4-8190-36090BA0C7E4}\RP1\A0000085.exe Infected: not-a-virus:AdWare.Win32.Agent.lmz 1
C:\System Volume Information\_restore{02391A09-845E-4CF4-8190-36090BA0C7E4}\RP1\A0000086.exe Infected: not-a-virus:AdWare.Win32.Agent.lmz 1
C:\System Volume Information\_restore{02391A09-845E-4CF4-8190-36090BA0C7E4}\RP1\A0000087.exe Infected: not-a-virus:AdWare.Win32.Agent.lmz 1

The selected area was scanned.

[Ried]

Where did you obtain the Windows XP .iso's ?

[rspatch]

I had used Bitcomet to search for a newer version of xp. I have a legitimate early copy of xp home that doesn't recognize bigger hard drives. I got the ISO from either of these two sites.

**edited links so no one else gets infected by the download**


At your demand, I got rid of Bitcomet, never to be used again.
Does that help at all?
Thanks
Spatch

[Ried]

That helps, yes. I'm sorry to say that they gave you a bit more than an XP SP update. Those iso's need to go. Delete them.

How is the system behaving now?

[rspatch]

Thanks! The system seems to be running well. It might seem a little sluggish, but that might be my imagination. No more popups or email notices. Seems back to normal. And those ISOs are gone as soon as I'm done here. Thanks for everything.
Spatch

[Ried]

Glad to hear it. Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
• Yellow for caution
• Red to stop

WOT has an addon available for both Firefox and IE.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.