Clicking sound and songs/audio advertisements playing automatically!!

[Monami_S]

Hello
My computer making clicking sound all the time(even when no app is running!)..Sometimes its playing songs..advertisements on its own..when I see process it shows a.exe or b.exe.
I have tried running Malaware byte and it detects some trojan.boot backdoor bots etc..sometimes 9 or 22 infections and says one file will be deleted only afer reboot (i.e. EvdoServer.dll).
Now everytime after restart and if i scan it wont show any infection but after a day or two it shows infection agains.Also as it says backdoor.bot i am afraid of using money related transactions..please help me clean my laptop! I have disabled my sys restore and all logs are after running freash malware clean up.

THANKS in advance!!


Here are the logs as mentioned in the procedure.:


DDS (Ver_09-07-30.01) - NTFSx86
Run by moon at 19:13:53.81 on Mon 08/17/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.358 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\dvdpaly.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\sofatnet.exe
C:\WINDOWS\system32\wiawow32.sys
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\moon\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = https://pccreg.trendmicro.com/12/PCC...reg/wcoBuy.asp
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\moon\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [cdloader] "c:\documents and settings\moon\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ShowLOMControl] 1 (0x1)
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023
StartupFolder: c:\docume~1\moon\startm~1\programs\startup\wordweb.lnk - c:\program files\wordweb\wweb32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} - hxxp://www.bitstream.com/wfplayer/tdserver.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.ooxtv.com/vjocx-en.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R2 EvdoServer;EvdoServer;c:\windows\system32\svchost.exe -k netsvcs [2005-8-16 14336]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 sofatnet;sofatnet Service;c:\windows\system32\sofatnet.exe [2004-8-10 95232]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-11 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090816.003\naveng.sys [2009-8-16 87888]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090816.003\navex15.sys [2009-8-16 875728]
S2 vvdsvc;VJVodClientServices;c:\windows\system32\svchost.exe -k vvdsvc [2005-8-16 14336]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]

=============== Created Last 30 ================

2009-08-15 17:48 216,064 a------- c:\windows\PEV.exe
2009-08-15 17:48 161,792 a------- c:\windows\SWREG.exe
2009-08-15 17:48 98,816 a------- c:\windows\sed.exe
2009-08-12 08:08 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 08:08 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-08 13:57 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-08-08 13:52 50,176 a------- c:\windows\system32\proquota.exe
2009-08-08 13:52 50,176 a------- c:\windows\system32\dllcache\proquota.exe
2009-08-08 13:48 <DIR> a-dshr-- C:\cmdcons
2009-08-08 11:51 664 a------- c:\windows\system32\d3d9caps.dat
2009-08-08 11:50 <DIR> --d----- c:\program files\CCleaner
2009-08-07 22:38 <DIR> --d----- c:\documents and settings\moon\.housecall6.6
2009-08-05 03:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-29 09:01 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-29 09:01 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll

==================== Find3M ====================

2009-08-05 03:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 07:18 5,937,152 a------- c:\windows\system32\dllcache\cache\mshtml.dll
2009-07-19 07:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 13:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 13:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-03 11:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 11:09 915,456 a------- c:\windows\system32\dllcache\cache\wininet.dll
2009-07-03 11:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 11:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 11:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 11:09 206,848 -------- c:\windows\system32\dllcache\occache.dll
2009-07-03 11:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 11:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 11:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 11:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 11:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 05:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-16 08:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 08:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 08:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 08:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-14 18:26 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-12 06:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 06:31 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 06:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 06:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-11 17:42 70,984 a------- c:\documents and settings\moon\g2mdlhlpx.exe
2009-06-11 13:08 48,768 a------- c:\windows\system32\S32EVNT1.DLL
2009-06-10 21:11 88,859 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:19 2,066,432 -------- c:\windows\system32\dllcache\mstscax.dll
2009-06-10 08:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 08:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 00:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-10 00:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-03 13:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 13:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-06-02 04:12 102,912 -------- c:\windows\system32\dllcache\iecompat.dll

============= FINISH: 19:14:17.92 ===============

[Monami_S]

BUMP, please

[Ried]

You've left out some details of what you've done already. Post the C:\ComboFix.txt

[Monami_S]

Oh Ok !! I really appreciate your time.Thanks for helping.

Here are the combofix logs.(Please let me know if i am suppoes to attach this as text file rather than posting here)

ComboFix 09-08-10.06 - moon 08/15/2009 17:49.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.464 [GMT -6:00]
Running from: c:\documents and settings\moon\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\system32\wiawow32.sys
c:\windows\system32\wiwow64.exe
c:\windows\TEMP\mpj65997.dll
c:\windows\TEMP\mta75402.dll

.
((((((((((((((((((((((((( Files Created from 2009-07-15 to 2009-08-15 )))))))))))))))))))))))))))))))
.

2009-08-15 02:32 . 2009-08-15 02:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-08-13 18:32 . 2009-08-13 18:32 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-08-13 18:32 . 2009-08-13 18:32 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2009-08-13 18:32 . 2009-08-13 18:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-08-12 14:08 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-08 19:52 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-08 19:52 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-08-08 17:53 . 2009-08-08 18:31 -------- d-----w- c:\documents and settings\Administrator\.housecall6.6
2009-08-08 17:51 . 2009-08-08 17:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-08 17:50 . 2009-08-08 17:50 -------- d-----w- c:\program files\CCleaner
2009-08-08 17:47 . 2009-08-08 17:47 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-08 04:38 . 2009-08-08 15:58 -------- d-----w- c:\documents and settings\moon\.housecall6.6
2009-08-08 02:47 . 2009-08-08 02:47 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-02 17:04 . 2009-08-02 17:04 -------- d-----w- c:\program files\Common Files\Skype
2009-07-29 15:01 . 2009-07-03 17:09 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-07-29 15:01 . 2009-07-03 17:09 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-17 20:00 . 2009-08-05 02:01 -------- d-----w- c:\documents and settings\moon\Local Settings\Application Data\Temp
2009-07-17 19:01 . 2009-07-17 19:01 58880 ------w- c:\windows\system32\dllcache\atl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-15 23:56 . 2009-06-11 19:08 -------- d-----w- c:\program files\Symantec AntiVirus
2009-08-15 17:08 . 2009-06-13 03:16 -------- d-----w- c:\documents and settings\moon\Application Data\Skype
2009-08-15 16:11 . 2009-06-13 03:17 -------- d-----w- c:\documents and settings\moon\Application Data\skypePM
2009-08-10 04:38 . 2009-06-20 23:09 -------- d-----w- c:\documents and settings\moon\Application Data\AdobeUM
2009-08-08 17:47 . 2009-06-26 14:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 03:24 . 2009-06-11 19:20 48304 ----a-w- c:\documents and settings\moon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 19:36 . 2009-06-26 14:44 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 19:36 . 2009-06-26 14:44 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-02 17:04 . 2009-06-13 03:16 -------- d-----r- c:\program files\Skype
2009-08-02 17:04 . 2009-06-13 03:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-07-30 04:14 . 2009-06-21 22:46 -------- d-----w- c:\program files\MetaTrader - Alpari (US)
2009-07-17 19:01 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 03:49 . 2009-07-16 03:49 -------- d-----w- c:\program files\WordWeb
2009-07-14 01:22 . 2009-07-14 01:20 -------- d-----w- c:\documents and settings\moon\Application Data\mjusbsp
2009-07-14 01:21 . 2009-07-14 01:20 7685232 ---h--w- c:\documents and settings\moon\Application Data\mjusbsp\ar00000\upgrade.exe
2009-07-13 16:08 . 2005-08-16 10:19 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 18:27 . 2006-02-20 09:39 -------- d-----w- c:\program files\Google
2009-07-09 01:08 . 2009-07-09 01:08 -------- d-----w- c:\program files\DivX
2009-07-09 01:08 . 2009-07-09 01:08 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-05 18:41 . 2009-07-05 18:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-03 17:09 . 2005-08-16 10:18 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 14:44 . 2009-06-26 14:44 -------- d-----w- c:\documents and settings\moon\Application Data\Malwarebytes
2009-06-26 14:44 . 2009-06-26 14:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-20 23:09 . 2009-06-20 23:09 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-19 03:49 . 2009-06-19 03:23 -------- d-----w- c:\documents and settings\moon\Application Data\Apple Computer
2009-06-19 03:26 . 2009-06-19 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-19 03:23 . 2009-06-19 03:22 -------- d-----w- c:\program files\iTunes
2009-06-19 03:23 . 2009-06-19 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-19 03:22 . 2009-06-19 03:22 -------- d-----w- c:\program files\iPod
2009-06-19 03:22 . 2009-06-19 03:20 -------- d-----w- c:\program files\Common Files\Apple
2009-06-19 03:22 . 2009-06-19 03:22 -------- d-----w- c:\program files\Bonjour
2009-06-19 03:22 . 2009-06-19 03:21 -------- d-----w- c:\program files\QuickTime
2009-06-19 03:21 . 2009-06-19 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-19 03:21 . 2009-06-19 03:21 -------- d-----w- c:\program files\Apple Software Update
2009-06-18 00:50 . 2009-06-18 00:50 -------- d-----w- c:\documents and settings\moon\Application Data\Sonic
2009-06-18 00:49 . 2009-06-18 00:49 -------- d-----w- c:\documents and settings\moon\Application Data\Leadertech
2009-06-18 00:46 . 2009-06-18 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2009-06-18 00:46 . 2009-06-18 00:46 327437 ----a-w- c:\documents and settings\moon\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\CIP\TransferAgentSetup.exe
2009-06-18 00:46 . 2009-06-18 00:46 1896448 ----a-w- c:\documents and settings\moon\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\dplugins\2.0.1.571\DiagPlugin.dll
2009-06-18 00:46 . 2009-06-18 00:46 123138 ----a-w- c:\documents and settings\moon\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\HTML\MakeDesktopShortcut.EXE
2009-06-16 14:36 . 2005-08-16 10:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 03:01 . 2009-06-11 00:30 127 ----a-w- c:\documents and settings\moon\Local Settings\Application Data\fusioncache.dat
2009-06-15 00:26 . 2009-06-15 00:26 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-15 00:25 . 2009-06-15 00:25 152576 ----a-w- c:\documents and settings\moon\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-13 03:17 . 2009-06-13 03:17 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-12 12:31 . 2005-08-16 10:18 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-08-16 10:18 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-11 23:42 . 2009-06-11 23:42 70984 ----a-w- c:\documents and settings\moon\g2mdlhlpx.exe
2009-06-11 19:08 . 2009-06-11 19:08 48768 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-06-11 19:08 . 2009-06-11 19:08 110952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-11 03:11 . 2005-08-16 10:41 88859 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-11 01:20 . 2009-06-11 01:20 64512 ----a-w- c:\documents and settings\moon\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\HTML\item_templ\coach\RunGdp.exe
2009-06-11 01:18 . 2009-06-11 01:18 698511 ----a-w- c:\documents and settings\moon\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\AutoMaintenance\AutoMaintenance.dll
2009-06-11 01:18 . 2009-06-11 01:18 225280 ----a-w- c:\documents and settings\moon\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\AutoMaintenance\Images.dll
2009-06-10 15:19 . 2005-08-16 10:37 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2005-08-16 10:18 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2005-08-16 10:18 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 19:57 . 2009-06-05 19:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-05 17:42 . 2009-06-19 03:21 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-05 17:42 . 2009-06-19 03:21 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-03 19:09 . 2005-08-16 10:18 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-27 01:50 . 2009-06-11 14:24 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-08-08_19.54.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-15 23:55 . 2009-08-15 23:55 16384 c:\windows\Temp\Perflib_Perfdata_51c.dat
+ 2004-08-10 11:00 . 2004-08-10 11:00 95232 c:\windows\system32\sofatnet.exe
+ 2009-06-11 03:47 . 2009-08-10 14:44 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2004-08-10 11:00 . 2004-08-10 11:00 45568 c:\windows\system32\EvdoServer.dll
+ 2009-06-12 12:31 . 2009-06-12 12:31 80896 c:\windows\system32\dllcache\tlntsess.exe
+ 2009-06-12 12:31 . 2009-06-12 12:31 76288 c:\windows\system32\dllcache\telnet.exe
+ 2009-06-10 14:13 . 2009-06-10 14:13 84992 c:\windows\system32\dllcache\avifil32.dll
+ 2009-08-10 04:38 . 2009-08-10 04:38 25214 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A70000000000}\SC_Reader.exe
+ 2009-07-18 03:12 . 2009-07-18 03:12 257440 c:\windows\system32\Macromed\Flash\FlashUtil10c.exe
+ 2004-08-10 11:00 . 2004-08-10 11:00 128512 c:\windows\system32\dvdpaly.exe
+ 2009-07-13 16:08 . 2009-07-13 16:08 286720 c:\windows\system32\dllcache\wmpdxm.dll
+ 2009-06-10 06:14 . 2009-06-10 06:14 132096 c:\windows\system32\dllcache\wkssvc.dll
- 2009-06-29 02:01 . 2009-08-08 15:53 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-06-29 02:01 . 2009-08-15 18:04 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-08-15 23:56 . 2009-07-03 17:09 1208832 c:\windows\Temp\x1c91521.dll
+ 2009-08-15 23:55 . 2009-07-03 17:09 1208832 c:\windows\Temp\mta37918.dll
+ 2009-08-15 23:55 . 2009-07-03 17:09 1208832 c:\windows\Temp\mpj45852.dll
+ 2005-09-28 20:46 . 2005-09-28 20:46 1184984 c:\windows\system32\wvc1dmod.dll
+ 2005-08-16 10:19 . 2009-07-13 16:08 5537792 c:\windows\system32\wmp.dll
- 2005-08-16 10:19 . 2007-04-30 14:20 5537792 c:\windows\system32\wmp.dll
+ 2009-07-13 16:08 . 2009-07-13 16:08 5537792 c:\windows\system32\dllcache\wmp.dll
+ 2009-06-10 15:19 . 2009-06-10 15:19 2066432 c:\windows\system32\dllcache\mstscax.dll
+ 2009-08-10 04:38 . 2009-08-10 04:38 2727936 c:\windows\Installer\64ab31.msi
+ 2009-06-14 21:52 . 2009-07-30 00:49 24281536 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Google Update"="c:\documents and settings\moon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-26 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-11 68856]
"cdloader"="c:\documents and settings\moon\Application Data\mjusbsp\cdloader2.exe" [2009-04-10 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-19 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-19 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-12-06 839680]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-02-20 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-15 125632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-15 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-11-17 397312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-02-03 430080]

c:\documents and settings\moon\Start Menu\Programs\Startup\
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2009-7-15 42168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2006-2-20 156784]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-6-16 49152]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-2-20 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Documents and Settings\\moon\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 EvdoServer;EvdoServer;c:\windows\system32\svchost.exe -k netsvcs [8/16/2005 4:18 AM 14336]
R2 sofatnet;sofatnet Service;c:\windows\system32\sofatnet.exe [8/10/2004 5:00 AM 95232]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/11/2009 1:19 PM 101936]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 7:48 PM 116416]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - EVDOSERVER

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1796996158-2338655297-3951568191-1006Core.job
- c:\documents and settings\moon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-26 03:29]

2009-08-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1796996158-2338655297-3951568191-1006UA.job
- c:\documents and settings\moon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-26 03:29]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = https://pccreg.trendmicro.com/12/PCC...reg/wcoBuy.asp
uInternet Settings,ProxyOverride = *.local
Trusted Zone: musicmatch.com\online
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-15 17:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\wiwow64.exe 128512 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(6116)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
c:\windows\TEMP\t4m0_562424317662.bk.old
c:\windows\system32\wiawow32.sys
.
**************************************************************************
.
Completion time: 2009-08-15 18:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-16 00:00
ComboFix2.txt 2009-08-08 19:58

Pre-Run: 79,513,604,096 bytes free
Post-Run: 79,776,055,296 bytes free

293 --- E O F --- 2009-08-12 23:38

[Ried]

You're welcome,

Quote:

I have disabled my sys restore .

Don't do that. Should the system go 'south' for any reason, or become unbootable, it's best to have a safety net, even if it contains infections. Better to have an infected restore point that you may be able to invoke, than no restore point at all. Once the infections have been cleaned, then you can flush out old restore points and create a new, fresh one.


Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Delete your existing ComboFix.exe and download a fresh copy from either of the following links. Save it to your desktop:

Link 1
Link 2

====================================================

Open notepad and copy/paste the text in the code box below into it:

Quote:

File::
c:\windows\system32\sofatnet.exe

Driver::
EvdoServer
sofatnet

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, please post the C:\ComboFix.txt and an update on system behavior.

[Monami_S]

Ok ,about that System Restore..I will keep that in mind!

After running that scan I kept laptop in running state for almost 5 hours and no clicking sound or advertisement played so no abnormal behaviour !!

Following are the latest logs:

ComboFix 09-08-20.07 - moon 08/21/2009 10:22.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.549 [GMT -6:00]
Running from: c:\documents and settings\moon\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\moon\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\windows\system32\sofatnet.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Fonts\WPHV07NB.TTF
c:\windows\Install.txt
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\system32\sofatnet.exe
c:\windows\system32\wiawow32.sys
c:\windows\system32\wiwow64.exe
c:\windows\TEMP\mpj92661.dll
c:\windows\TEMP\mta13187.dll
c:\windows\TEMP\mta90565.dll
c:\windows\TEMP\tmp0_849372658718.bk.old
c:\windows\TEMP\x1c111693.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EVDOSERVER
-------\Legacy_SOFATNET
-------\Service_EvdoServer
-------\Service_sofatnet


((((((((((((((((((((((((( Files Created from 2009-07-21 to 2009-08-21 )))))))))))))))))))))))))))))))
.

2009-08-15 02:32 . 2009-08-15 02:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-08-13 18:32 . 2009-08-13 18:32 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-08-13 18:32 . 2009-08-13 18:32 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2009-08-13 18:32 . 2009-08-13 18:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-08-12 14:08 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-08 19:52 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-08 19:52 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-08-08 17:53 . 2009-08-08 18:31 -------- d-----w- c:\documents and settings\Administrator\.housecall6.6
2009-08-08 17:51 . 2009-08-08 17:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-08 17:50 . 2009-08-08 17:50 -------- d-----w- c:\program files\CCleaner
2009-08-08 17:47 . 2009-08-08 17:47 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-08 04:38 . 2009-08-08 15:58 -------- d-----w- c:\documents and settings\moon\.housecall6.6
2009-08-08 02:47 . 2009-08-08 02:47 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-02 17:04 . 2009-08-02 17:04 -------- d-----w- c:\program files\Common Files\Skype
2009-07-29 15:01 . 2009-07-03 17:09 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-07-29 15:01 . 2009-07-03 17:09 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-21 16:29 . 2009-06-11 19:08 -------- d-----w- c:\program files\Symantec AntiVirus
2009-08-17 03:55 . 2009-06-13 03:16 -------- d-----w- c:\documents and settings\moon\Application Data\Skype
2009-08-16 22:06 . 2009-06-13 03:17 -------- d-----w- c:\documents and settings\moon\Application Data\skypePM
2009-08-10 04:38 . 2009-06-20 23:09 -------- d-----w- c:\documents and settings\moon\Application Data\AdobeUM
2009-08-08 17:47 . 2009-06-26 14:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 03:24 . 2009-06-11 19:20 48304 ----a-w- c:\documents and settings\moon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 19:36 . 2009-06-26 14:44 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 19:36 . 2009-06-26 14:44 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-02 17:04 . 2009-06-13 03:16 -------- d-----r- c:\program files\Skype
2009-08-02 17:04 . 2009-06-13 03:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-07-30 04:14 . 2009-06-21 22:46 -------- d-----w- c:\program files\MetaTrader - Alpari (US)
2009-07-17 19:01 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 03:49 . 2009-07-16 03:49 -------- d-----w- c:\program files\WordWeb
2009-07-14 01:22 . 2009-07-14 01:20 -------- d-----w- c:\documents and settings\moon\Application Data\mjusbsp
2009-07-14 01:21 . 2009-07-14 01:20 7685232 ---h--w- c:\documents and settings\moon\Application Data\mjusbsp\ar00000\upgrade.exe
2009-07-13 16:08 . 2005-08-16 10:19 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 18:27 . 2006-02-20 09:39 -------- d-----w- c:\program files\Google
2009-07-09 01:08 . 2009-07-09 01:08 -------- d-----w- c:\program files\DivX
2009-07-09 01:08 . 2009-07-09 01:08 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-05 18:41 . 2009-07-05 18:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-03 17:09 . 2005-08-16 10:18 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 14:44 . 2009-06-26 14:44 -------- d-----w- c:\documents and settings\moon\Application Data\Malwarebytes
2009-06-26 14:44 . 2009-06-26 14:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-18 00:46 . 2009-06-18 00:46 327437 ----a-w- c:\documents and settings\moon\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\CIP\TransferAgentSetup.exe
2009-06-18 00:46 . 2009-06-18 00:46 1896448 ----a-w- c:\documents and settings\moon\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\dplugins\2.0.1.571\DiagPlugin.dll
2009-06-18 00:46 . 2009-06-18 00:46 123138 ----a-w- c:\documents and settings\moon\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\HTML\MakeDesktopShortcut.EXE
2009-06-16 14:36 . 2005-08-16 10:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 03:01 . 2009-06-11 00:30 127 ----a-w- c:\documents and settings\moon\Local Settings\Application Data\fusioncache.dat
2009-06-15 00:26 . 2009-06-15 00:26 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-15 00:25 . 2009-06-15 00:25 152576 ----a-w- c:\documents and settings\moon\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-13 03:17 . 2009-06-13 03:17 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-12 12:31 . 2005-08-16 10:18 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-08-16 10:18 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-11 23:42 . 2009-06-11 23:42 70984 ----a-w- c:\documents and settings\moon\g2mdlhlpx.exe
2009-06-11 19:08 . 2009-06-11 19:08 48768 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-06-11 19:08 . 2009-06-11 19:08 110952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-11 03:11 . 2005-08-16 10:41 88859 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-11 01:20 . 2009-06-11 01:20 64512 ----a-w- c:\documents and settings\moon\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\HTML\item_templ\coach\RunGdp.exe
2009-06-11 01:18 . 2009-06-11 01:18 698511 ----a-w- c:\documents and settings\moon\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\AutoMaintenance\AutoMaintenance.dll
2009-06-11 01:18 . 2009-06-11 01:18 225280 ----a-w- c:\documents and settings\moon\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\AutoMaintenance\Images.dll
2009-06-10 15:19 . 2005-08-16 10:37 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2005-08-16 10:18 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2005-08-16 10:18 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 19:57 . 2009-06-05 19:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-05 17:42 . 2009-06-19 03:21 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-05 17:42 . 2009-06-19 03:21 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-03 19:09 . 2005-08-16 10:18 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-27 01:50 . 2009-06-11 14:24 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-08-08_19.54.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-21 16:29 . 2009-08-21 16:29 16384 c:\windows\Temp\Perflib_Perfdata_1a8.dat
+ 2009-06-11 03:47 . 2009-08-10 14:44 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2004-08-10 11:00 . 2004-08-10 11:00 44032 c:\windows\system32\EvdoServer.dll
+ 2009-06-12 12:31 . 2009-06-12 12:31 80896 c:\windows\system32\dllcache\tlntsess.exe
+ 2009-06-12 12:31 . 2009-06-12 12:31 76288 c:\windows\system32\dllcache\telnet.exe
+ 2009-06-10 14:13 . 2009-06-10 14:13 84992 c:\windows\system32\dllcache\avifil32.dll
+ 2009-07-17 19:01 . 2009-07-17 19:01 58880 c:\windows\system32\dllcache\atl.dll
+ 2009-08-10 04:38 . 2009-08-10 04:38 25214 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A70000000000}\SC_Reader.exe
+ 2009-07-18 03:12 . 2009-07-18 03:12 257440 c:\windows\system32\Macromed\Flash\FlashUtil10c.exe
+ 2004-08-10 11:00 . 2004-08-10 11:00 129536 c:\windows\system32\dvdpaly.exe
+ 2009-07-13 16:08 . 2009-07-13 16:08 286720 c:\windows\system32\dllcache\wmpdxm.dll
+ 2009-06-10 06:14 . 2009-06-10 06:14 132096 c:\windows\system32\dllcache\wkssvc.dll
+ 2009-06-29 02:01 . 2009-08-21 15:48 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-06-29 02:01 . 2009-08-08 15:53 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2005-09-28 20:46 . 2005-09-28 20:46 1184984 c:\windows\system32\wvc1dmod.dll
- 2005-08-16 10:19 . 2007-04-30 14:20 5537792 c:\windows\system32\wmp.dll
+ 2005-08-16 10:19 . 2009-07-13 16:08 5537792 c:\windows\system32\wmp.dll
+ 2009-07-13 16:08 . 2009-07-13 16:08 5537792 c:\windows\system32\dllcache\wmp.dll
+ 2009-06-10 15:19 . 2009-06-10 15:19 2066432 c:\windows\system32\dllcache\mstscax.dll
+ 2009-08-10 04:38 . 2009-08-10 04:38 2727936 c:\windows\Installer\64ab31.msi
+ 2009-06-14 21:52 . 2009-07-30 00:49 24281536 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Google Update"="c:\documents and settings\moon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-26 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-11 68856]
"cdloader"="c:\documents and settings\moon\Application Data\mjusbsp\cdloader2.exe" [2009-04-10 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-19 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-19 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-12-06 839680]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-02-20 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-15 125632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-15 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-11-17 397312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-02-03 430080]

c:\documents and settings\moon\Start Menu\Programs\Startup\
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2009-7-15 42168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2006-2-20 156784]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-6-16 49152]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-2-20 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Documents and Settings\\moon\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/11/2009 1:19 PM 101936]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 7:48 PM 116416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1796996158-2338655297-3951568191-1006Core.job
- c:\documents and settings\moon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-26 03:29]

2009-08-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1796996158-2338655297-3951568191-1006UA.job
- c:\documents and settings\moon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-26 03:29]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = https://pccreg.trendmicro.com/12/PCC...reg/wcoBuy.asp
uInternet Settings,ProxyOverride = *.local
Trusted Zone: musicmatch.com\online
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-21 10:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3944)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-08-21 10:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-21 16:34
ComboFix2.txt 2009-08-16 00:00
ComboFix3.txt 2009-08-08 19:58

Pre-Run: 79,820,230,656 bytes free
Post-Run: 79,921,254,400 bytes free

282 --- E O F --- 2009-08-12 23:38

[Ried]

Glad to hear that.

Please ensure Hidden files and folders are viewable:

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following File (Right click and select 'Delete'):

c:\windows\system32\EvdoServer.dll


===========================

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:


Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

[Monami_S]

Here are the logs from online scanning !


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, August 21, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, August 22, 2009 05:28:41
Records in database: 2674758
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 66246
Threats found: 9
Infected objects found: 37
Suspicious objects found: 0
Scan duration: 01:34:34


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05180000\4F7CE2F9.VBN Infected: Backdoor.Win32.UltimateDefender.igv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05180001\4F7CE386.VBN Infected: Packed.Win32.Krap.t 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05180002\4F7CE394.VBN Infected: Packed.Win32.Krap.t 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05180003\4F7CE51F.VBN Infected: Packed.Win32.Krap.t 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05180006\4F7CE55D.VBN Infected: Packed.Win32.Krap.t 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05180007\4F7CE567.VBN Infected: Packed.Win32.Krap.t 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\084C0001\4ACE181E.VBN Infected: Backdoor.Win32.Bredolab.es 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\084C0002\4ACE189E.VBN Infected: Backdoor.Win32.Bredolab.es 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09980000\4BDFEB84.VBN Infected: Trojan.Win32.Inject.ahub 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A380000\4A7ED034.VBN Infected: Trojan.Win32.Monder.cpyt 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B200000\4B64D5BE.VBN Infected: Trojan-Dropper.Win32.Agent.auoy 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B200001\4B64D5C7.VBN Infected: Trojan-Dropper.Win32.Agent.auoy 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D700000\4F7DA6A5.VBN Infected: Trojan-Downloader.Win32.FraudLoad.ffl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D700001\4F7DA7A5.VBN Infected: Trojan-Downloader.Win32.FraudLoad.ffl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D700002\4F7DA807.VBN Infected: Trojan-Downloader.Win32.FraudLoad.ffl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D700003\4F7DA8DF.VBN Infected: Trojan-Downloader.Win32.FraudLoad.ffl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D700004\4F7DA9B8.VBN Infected: Trojan-Downloader.Win32.FraudLoad.ffl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D700005\4F7DAAA9.VBN Infected: Trojan-Downloader.Win32.FraudLoad.ffl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D700006\4F7DAB87.VBN Infected: Trojan-Downloader.Win32.FraudLoad.ffl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D700007\4F7DAC5A.VBN Infected: Trojan-Downloader.Win32.FraudLoad.ffl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D700008\4F7DAD2F.VBN Infected: Trojan-Downloader.Win32.FraudLoad.ffl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D700009\4F7DAE0F.VBN Infected: Trojan-Downloader.Win32.FraudLoad.ffl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D70000A\4F7DAEF1.VBN Infected: Trojan-Downloader.Win32.FraudLoad.ffl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\108C0000\5AFCF085.VBN Infected: Backdoor.Win32.UltimateDefender.igv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\108C0001.VBN Infected: Packed.Win32.Krap.t 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\108C0002.VBN Infected: Packed.Win32.Krap.t 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\108C0003.VBN Infected: Packed.Win32.Krap.t 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\108C0007.VBN Infected: Packed.Win32.Krap.t 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\108C0008.VBN Infected: Packed.Win32.Krap.t 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\108C000C.VBN Infected: Packed.Win32.Krap.t 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\108C000F.VBN Infected: Packed.Win32.Krap.t 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\108C0010.VBN Infected: Packed.Win32.Krap.t 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\108C0011.VBN Infected: Packed.Win32.Krap.t 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wiwow64.exe.vir Infected: Trojan-Downloader.Win32.DlfBfkg.yx 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\tmp0_849372658718.bk.old.vir Infected: Trojan-Downloader.Win32.DlfBfkg.yx 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000029.exe Infected: Trojan-Downloader.Win32.DlfBfkg.yx 1
C:\WINDOWS\system32\dvdpaly.exe Infected: Trojan-Downloader.Win32.DlfBfkg.ys 1

Selected area has been scanned.

[Ried]

It's better than it looks.



Delete the following file:

C:\WINDOWS\system32\dvdpaly.exe <--note the spelling

========================================


Empty the Symantec AntiVirus Corporate Edition Quarantine folder.


========================================


The remainder of Kaspersky's findings are backups created during the course of this fix, and items located in C:\System Volume Information\, which is where System Restore's cache is stored. We'll clear those now.

If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
• Yellow for caution
• Red to stop

WOT has an addon available for both Firefox and IE.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

- Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

- Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


- Most importantly, Think Prevention

-----------------------------------------------------


**Kindly respond one more time and let me know if we may consider this thread resolved.

[Monami_S]

Thanks a lot! I completed last step and also bookmarked links suggested by you and installed tools!! Also donated a little amount as I found this website and your help very useful!!

You can treat this as solved!! Thanks again for your time and help!

[Ried]

That was very generous of you, thank you. Any donations go directly toward the operations of this site, and keeping it free for all to use, and is appreciated by the owner.

And you, are quite welcome, Monami_S. It's been a pleasure.