[von wilhelm]

I appear to be having the same problem that many on this site are having at the moment: I have multiple instances of iexplore.exe running in the "system" area in my task manager, regardless of whether or not I'm using Internet Explorer. When I go wireless and turn off my ethernet card, this appears to stop. I tried to remove it by removing internet explorer and associated files. This worked to an extent, in that the bug didn't show up again, but I then re-installed IE and presto! there it was happening again. I get random ads popping up to seemingly well-known and legitimate sites, as well as audio commercials. My Wave volume bar also consistently turns itself off so that I can't hear anything. I have run DDS and attached the logs as specified in the "instructions" thread, but when I attempt to run GMER I eventually get the blue screen of death in either standard or safe mode. I did have daemon tools and have removed it to the best of my ability, but I'm not sure if there are any remnants. Help would be greatly appreciated, as this is driving me nuts.

DDS Log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by adam.wilhelm at 14:37:19.80 on Tue 07/13/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1213 [GMT -7:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

svchost.exe 4
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe 4
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Laserfiche\Snapshot 7\SnapshotService.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\DWRCST.exe
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Scansoft\PaperPort\xdcla.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Documents and Settings\adam.wilhelm\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://en.wikipedia.org/wiki/Main_Page
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {EAD3A971-6A23-4246-8691-C9244E858967} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imager~1.lnk - c:\program files\scansoft\paperport\xdcla.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} - hxxp://webiq.labsafety.com/WebIQ/DataServer/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206471593296
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-9 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-9 108392]
R2 Laserfiche Snapshot Service 7;Laserfiche Snapshot Service 7;c:\program files\laserfiche\snapshot 7\SnapshotService.exe [2008-4-1 24576]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2009-1-26 2560]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2009-7-9 2440632]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100708.049\NAVENG.SYS [2010-7-9 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100708.049\NAVEX15.SYS [2010-7-9 1347504]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-9 23888]
S3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 3712]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
S3 ethuio;Alerton/Honeywell BACtalk Driver 1.32;c:\windows\system32\drivers\ethuio.sys [2006-3-28 20480]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-3-25 189792]

=============== Created Last 30 ================

2010-07-13 21:26:33 114688 ----a-w- c:\windows\system32\dllcache\calc.exe
2010-07-13 21:26:33 114688 ----a-w- c:\windows\system32\calc.exe
2010-07-13 21:11:09 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 20:39:49 94208 ----a-w- c:\windows\system32\stacsv.exe
2010-07-13 20:39:49 4952064 ----a-w- c:\windows\system32\stacgui.cpl
2010-07-13 20:39:49 405504 ----a-w- c:\windows\stsystra.exe
2010-07-13 20:39:49 1601536 ----a-w- c:\windows\system32\stlang.dll
2010-07-13 20:39:18 270336 ----a-w- c:\windows\system32\stacapi.dll
2010-07-13 18:59:46 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-13 18:59:26 0 d-----w- c:\docume~1\alluse~1\applic~1\UAB
2010-07-13 18:59:25 0 d-----w- c:\program files\Driver Whiz
2010-07-13 18:49:44 0 d-----w- c:\program files\HWiNFO32
2010-07-13 18:15:07 0 d-----w- C:\Intel
2010-07-13 18:09:27 0 d-----w- c:\program files\Microsoft
2010-07-13 18:09:26 0 d-----w- c:\program files\MSN Toolbar
2010-07-13 18:07:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Driver Whiz
2010-07-13 18:07:31 0 d-----w- c:\program files\MSN Toolbar Installer
2010-07-13 17:55:28 146944 ----a-w- c:\windows\system32\st325602.dll
2010-07-13 16:55:54 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-13 15:30:27 0 dc-h--w- c:\windows\ie8
2010-07-13 15:10:35 0 d-----w- c:\program files\msn gaming zone
2010-07-12 17:23:46 0 d-sha-r- C:\cmdcons
2010-07-12 17:19:38 98816 ----a-w- c:\windows\sed.exe
2010-07-12 17:19:38 77312 ----a-w- c:\windows\MBR.exe
2010-07-12 17:19:38 256512 ----a-w- c:\windows\PEV.exe
2010-07-12 17:19:38 161792 ----a-w- c:\windows\SWREG.exe
2010-07-12 16:53:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-07-12 16:53:45 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-12 15:33:43 0 d--h--w- c:\windows\PIF
2010-07-12 15:28:50 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2010-07-12 13:04:57 0 d-----w- c:\docume~1\adam~1.wil\applic~1\FLVPlayer4Free
2010-07-12 13:04:54 0 d-----w- c:\program files\FLVPlayer4Free
2010-07-11 19:11:09 0 d-----w- c:\documents and settings\adam.wilhelm\dwhelper

==================== Find3M ====================

2010-07-13 19:24:59 210128 ----a-w- c:\windows\system32\nvModes.dat
2010-07-09 15:28:23 161920 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2010-05-05 13:30:57 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2009-03-10 18:33:48 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009031020090311\index.dat

============= FINISH: 14:37:28.24 ===============

 

[von wilhelm]

I'm bumping this because I see people with the same problem posting after me getting responses while this post is being buried.

 

[von wilhelm]

OK I got gmer to work in safe mode - full text is attached.

 

[Ried]

Hello von wilhelm,

Before we begin removal of the various infections onboard - one of which is an infected mbr, kindly tell me if there is another computer at your location.

 

[von wilhelm]

I have another computer here at home, and one at work, as well as the laptop that has this problem. I am running Windows XP professional 2002 SP3 as well.

 

[Ried]

Thank you. It will require more than 1 round to clean the system. Please stay with me until given the 'all clear' even if symptoms seem to abate.

Download ComboFix from here and save it to your desktop.


====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on combofix.exe & follow the prompts.

• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

 

[von wilhelm]

I apologize in advance - I'm at work now and will wait until I get home to start the process. I will run the scan as soon as I get home and post the results.

 

[Ried]

That will be fine. I am subscribed to this thread and will be notified when you post. :smile:

 

[von wilhelm]

Ok - ComboFix done. The log is below:

ComboFix 10-07-24.06 - adam.wilhelm 07/26/2010 17:57:53.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1463 [GMT -7:00]
Running from: c:\documents and settings\adam.wilhelm\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\st325602.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-27 to 2010-07-27 )))))))))))))))))))))))))))))))
.

2010-07-22 13:38 . 2010-07-22 13:38 1812 ----a-w- C:\ark.zip
2010-07-21 19:08 . 2010-07-21 19:08 -------- d-----w- c:\program files\Audible
2010-07-20 23:58 . 2008-04-14 12:41 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-07-20 21:27 . 2010-07-20 21:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-20 21:21 . 2010-07-20 21:21 -------- d-----w- c:\documents and settings\adam.wilhelm\Application Data\Office Genuine Advantage
2010-07-15 18:03 . 2010-07-15 18:03 63488 ----a-w- c:\documents and settings\adam.wilhelm\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-15 18:03 . 2010-07-15 18:03 52224 ----a-w- c:\documents and settings\adam.wilhelm\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-15 18:03 . 2010-07-15 18:03 117760 ----a-w- c:\documents and settings\adam.wilhelm\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-15 18:02 . 2010-07-15 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-15 18:02 . 2010-07-15 18:02 -------- d-----w- c:\documents and settings\adam.wilhelm\Application Data\SUPERAntiSpyware.com
2010-07-15 18:01 . 2010-07-22 13:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-14 20:52 . 2006-08-15 17:15 110592 ----a-w- c:\documents and settings\adam.wilhelm\Application Data\U3\temp\cleanup.exe
2010-07-14 19:44 . 2010-07-26 14:55 -------- d-----w- c:\documents and settings\adam.wilhelm\Application Data\U3
2010-07-13 22:09 . 2003-03-31 14:00 138752 ----a-w- c:\windows\system32\sndvol32.exe
2010-07-13 22:09 . 2003-03-31 14:00 138752 ----a-w- c:\windows\system32\dllcache\sndvol32.exe
2010-07-13 21:26 . 2004-08-04 11:00 114688 ----a-w- c:\windows\system32\dllcache\calc.exe
2010-07-13 21:11 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 20:39 . 2007-05-10 17:23 94208 ----a-w- c:\windows\system32\stacsv.exe
2010-07-13 20:39 . 2007-05-10 17:22 405504 ----a-w- c:\windows\stsystra.exe
2010-07-13 20:39 . 2007-04-11 00:02 1601536 ----a-w- c:\windows\system32\stlang.dll
2010-07-13 20:39 . 2007-05-10 17:23 270336 ----a-w- c:\windows\system32\stacapi.dll
2010-07-13 18:59 . 2010-07-13 18:59 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-13 18:59 . 2010-07-13 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\UAB
2010-07-13 18:15 . 2010-07-13 18:15 -------- d-----w- C:\Intel
2010-07-13 18:09 . 2010-07-13 18:09 -------- d-----w- c:\program files\Microsoft
2010-07-13 18:09 . 2010-07-13 18:09 -------- d-----w- c:\program files\MSN Toolbar
2010-07-13 18:07 . 2010-07-13 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Whiz
2010-07-13 18:07 . 2010-07-13 18:09 -------- d-----w- c:\program files\MSN Toolbar Installer
2010-07-13 16:55 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-13 15:30 . 2010-07-13 16:03 -------- dc-h--w- c:\windows\ie8
2010-07-13 14:45 . 2010-07-13 14:45 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-12 17:21 . 2010-07-12 17:21 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-07-12 17:20 . 2010-07-12 17:20 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-12 16:54 . 2010-07-12 16:54 -------- d-----w- c:\program files\Common Files\Java
2010-07-12 16:53 . 2010-07-12 16:52 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-12 15:38 . 2010-07-12 15:38 -------- d-----w- c:\documents and settings\adam.wilhelm\Local Settings\Application Data\Help
2010-07-12 15:33 . 2010-07-12 15:33 -------- d--h--w- c:\windows\PIF
2010-07-12 15:29 . 2010-07-12 15:29 3257 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_DDE7F2BCF1D91C3409CFF425AE1E271A.dll
2010-07-12 15:28 . 2010-07-12 15:28 60 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109910090400000000000F01FEC.dll
2010-07-12 15:28 . 2010-07-12 15:28 108 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109810090400000000000F01FEC.dll
2010-07-12 15:28 . 2010-07-12 15:28 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109711090400000000000F01FEC.dll
2010-07-12 15:28 . 2010-07-12 15:28 92 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109610090400000000000F01FEC.dll
2010-07-12 15:28 . 2010-07-12 15:28 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109511090400000000000F01FEC.dll
2010-07-12 15:28 . 2010-07-12 15:28 107 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109510090400000000000F01FEC.dll
2010-07-12 15:28 . 2010-07-12 15:28 1509 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109440090400000000000F01FEC.dll
2010-07-12 15:28 . 2010-07-12 15:28 12597 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109110000000000000000F01FEC.dll
2010-07-12 15:28 . 2010-07-12 15:28 108 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109010090400000000000F01FEC.dll
2010-07-12 15:28 . 2010-07-13 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-07-07 14:50 . 2010-07-07 14:51 5037504 ----a-w- c:\documents and settings\adam.wilhelm\Application Data\Uniblue\RegistryBooster\_temp\ub.exe
2010-07-07 13:26 . 2010-07-07 13:26 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-27 00:44 . 2009-01-26 19:13 1225 --sha-w- c:\windows\system32\mmf.sys
2010-07-26 15:48 . 2008-03-06 05:13 210128 ----a-w- c:\windows\system32\nvModes.dat
2010-07-26 14:52 . 2010-01-13 02:02 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-24 05:55 . 2008-03-27 21:53 -------- d-----w- c:\program files\Symantec AntiVirus
2010-07-21 00:00 . 2010-07-21 00:00 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-07-21 00:00 . 2010-07-21 00:00 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-07-20 21:18 . 2008-03-25 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-20 20:45 . 2009-05-21 03:05 -------- d-----w- c:\program files\Common Files\3DO Shared
2010-07-13 18:20 . 2009-08-03 13:21 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-13 18:18 . 2008-03-06 05:30 -------- d-----w- c:\program files\Intel
2010-07-13 14:59 . 2010-03-29 14:40 -------- d-----w- c:\program files\TweakNow RegCleaner
2010-07-13 14:49 . 2009-12-17 02:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-12 16:42 . 2008-03-06 05:27 -------- d-----w- c:\program files\Java
2010-07-12 15:29 . 2010-07-12 15:29 27 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_DCC9BD3665B27124A9D305A77C3802AC.dll
2010-07-11 16:13 . 2010-01-03 18:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-11 16:12 . 2009-08-11 15:21 -------- d-----w- c:\program files\Paradox Interactive
2010-07-11 16:12 . 2008-03-06 05:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-11 04:35 . 2009-01-26 19:13 1225 --sha-w- c:\windows\system32\mmf(2)(2).sys
2010-07-07 19:35 . 2010-06-08 04:59 -------- d-----w- c:\program files\Download Manager
2010-07-05 16:51 . 2009-11-20 02:53 -------- d-----w- c:\documents and settings\adam.wilhelm\Application Data\IGN_DLM
2010-07-03 22:31 . 2010-06-08 19:39 -------- d-----w- c:\program files\Ubisoft
2010-07-01 13:21 . 2009-01-26 19:13 1225 --sha-w- c:\windows\system32\mmf(3)(2).sys
2010-06-14 14:31 . 2004-08-11 23:12 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-07 23:13 . 2010-04-30 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-05 03:30 . 2010-05-07 03:53 -------- d-----w- c:\program files\Firaxis Games
2010-06-03 02:59 . 2009-07-09 21:23 161920 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2010-05-06 10:41 . 2004-08-11 23:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-11 23:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-30 00:33 . 2010-04-30 00:33 1924976 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-04-29 22:39 . 2010-01-03 18:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-01-03 18:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-22 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"NvMediaCenter"="NvMCTray.dll" [2009-11-21 110184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"DameWare MRC Agent"="c:\windows\system32\DWRCST.exe" [2009-02-04 78848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2008-3-25 1445904]
Image Retriever.lnk - c:\program files\Scansoft\PaperPort\xdcla.exe [2008-3-25 77824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^adam.wilhelm^Start Menu^Programs^Startup^MLB.TV NexDef Plug-in.lnk]
path=c:\documents and settings\adam.wilhelm\Start Menu\Programs\Startup\MLB.TV NexDef Plug-in.lnk
backup=c:\windows\pss\MLB.TV NexDef Plug-in.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-06-17 00:20 624056 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-17 06:24 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2009-07-09 21:23 115560 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DameWare MRC Agent]
2009-02-04 22:35 78848 ----a-w- c:\windows\system32\DWRCST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-09-24 08:08 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDTSysTrayApp]
2007-09-06 04:24 405504 ----a-w- c:\windows\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
2009-10-27 17:18 1103216 ----a-w- c:\program files\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2002-09-20 17:19 36864 ----a-w- c:\program files\Scansoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-16 01:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 22:40 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-11-21 04:32 12669544 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2009-11-21 04:32 87144 ----a-w- c:\windows\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-11-21 04:32 110184 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage]
2002-12-03 22:29 49152 ----a-w- c:\program files\Scansoft\OmniPagePro11.0\opware32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2002-09-20 16:52 45108 ----a-w- c:\program files\Scansoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 23:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 06:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2/15/2007 2:00 AM 26624]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 1:21 PM 79432]
R2 Laserfiche Snapshot Service 7;Laserfiche Snapshot Service 7;c:\program files\Laserfiche\Snapshot 7\SnapshotService.exe [4/1/2008 2:14 PM 24576]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2/7/2007 2:00 AM 3712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 6:17 AM 102448]
S2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [1/26/2009 12:13 PM 2560]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/9/2009 2:23 PM 23888]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 11:32 AM 97536]
S3 ethuio;Alerton/Honeywell BACtalk Driver 1.32;c:\windows\system32\drivers\ethuio.sys [3/28/2006 3:55 PM 20480]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/1/2010 2:07 PM 691696]
.
Contents of the 'Scheduled Tasks' folder

2010-07-27 c:\windows\Tasks\User_Feed_Synchronization-{CC8ECCBA-E147-4D9C-9400-37562EED38C2}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.wikipedia.org/wiki/Main_Page
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: windowsupdate.com\download
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus
MSConfigStartUp-Apoint - c:\program files\Apoint\Apoint.exe
MSConfigStartUp-Ask and Record FLV Service - c:\program files\Replay Media Catcher\FLVSrvc.exe
MSConfigStartUp-DAEMON Tools Lite - c:\program files\DAEMON Tools Lite\DTLite.exe
MSConfigStartUp-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
MSConfigStartUp-IntelliPoint - c:\program files\Microsoft IntelliPoint\ipoint.exe
MSConfigStartUp-nwiz - nwiz.exe
MSConfigStartUp-settdebugx - c:\docume~1\ADAM~1.WIL\LOCALS~1\Temp\settdebugx.exe
MSConfigStartUp-Steam - c:\program files\Steam\Steam.exe
MSConfigStartUp-vyjpkkma - c:\documents and settings\adam.wilhelm\Local Settings\Application Data\ukuspf\wslksysguard.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-26 18:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,08,fa,48,e6,dc,f7,b0,4b,b0,a9,8a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,08,fa,48,e6,dc,f7,b0,4b,b0,a9,8a,\

[HKEY_USERS\S-1-5-21-2101437271-803894987-1073948036-5881\Software\SecuROM\License information*]
"datasecu"=hex:e0,ad,90,38,a0,60,58,c0,f2,9c,69,a1,2c,66,5f,cb,c1,95,a3,85,11,
ff,b6,87,0d,6b,38,15,84,57,9f,85,97,a9,8c,43,5c,5d,8e,16,77,79,b5,89,b4,4c,\
"rkeysecu"=hex:6f,9c,7b,dc,2c,8f,5c,46,0a,e8,be,18,e5,9c,11,16

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&[email protected]^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,
d5,42,54,3b,7e,24,3e,19,f8
"2"=hex:f1,df,16,de,80,08,0e,2a,d1,38,b5,6f,94,ca,dc,d2,b3,e8,d2,40,6c,6f,61,
5e,d2,5e,7f,21,14,b5,b2,29
"3"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,
d5,f2,55,76,c8,bc,53,92,25,3f,d1,b6,bc,00,35,73,43,96,90,79,f6,5b,97,35,47,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&[email protected]^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\3323E31CCF524E1933A08EFC0405BBBB]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,50,94,16,01,b2,17,1a,42
"2"=hex:26,e2,50,37,ae,51,11,bf
"3"=hex:81,20,8f,ab,28,6a,52,9c
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,29,7c,70,46,35,dc,d7,79
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,
f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&[email protected]^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\58BBB2CAA762B86BF8228F8849EB5144]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,50,94,16,01,b2,17,1a,42
"2"=hex:84,00,a2,e9,a5,84,bc,35
"3"=hex:d9,22,af,37,37,e8,fd,65,c4,84,62,b5,49,fc,1c,45,61,f3,7e,1c,46,6c,59,
27,40,5b,77,27,4a,08,dc,6a,a0,37,84,46,e1,e3,a3,91,8e,e8,9a,0d,e2,01,aa,2f,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,53,74,ea,24,5b,d9,02,83
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,
f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:f8,fe,42,b7,de,5f,ba,f0
"11"=hex:7d,ba,74,77,fe,09,92,36
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1760)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2440)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-26 18:06:51
ComboFix-quarantined-files.txt 2010-07-27 01:06

Pre-Run: 29,603,332,096 bytes free
Post-Run: 29,565,517,824 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 0E50547F6EBD7837B630EF5EC5EA0D72

 

[Ried]

Hi von wilhelm. It appears you did not download ComboFix from the link I provided you with. How is the system behaving now?

 

[von wilhelm]

I had actually downloaded it already in anticipation of working through this, since my time is very fluid and I wanted to be able to jump on top of this. It does seem to be working better - the wave volume dropping has stopped, the sound ads and pop-ups have stopped.

 

[Ried]

Did you run any other tools before running ComboFix?

 

[von wilhelm]

MBAM, SuperAntispyware, my Symantec on-board virus protection, hijack this, all to no avail.

 

[Ried]

Then we still need to check the mbr. Download MBRCheck.exe and save it to your desktop.

• Double click MBRCheck.exe to run the tool
• If a malicious MBR code is found do not take any action against it. Type N and press Enter.
• If no malicious code was found, just press Enter
• A notepad file will then be on the desktop, Please copy/paste the contents of that file in your next reply.

 

[von wilhelm]

Here it is:

MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

74 GB \\.\PhysicalDrive0 Windows XP MBR code detected





Done! Press ENTER to exit...

 

[von wilhelm]

Here it is:

MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

74 GB \\.\PhysicalDrive0 Windows XP MBR code detected





Done! Press ENTER to exit...

 

[Ried]

How is the system behaving? Please run this online scan to search for any remnants. It can take several hours, so please be patient and allow it to run it's full course:

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

 

[von wilhelm]

I apologize for my late reply - sick kids. I will run the scan today and let you know. It seems like it is running kind of slow, but I'm not noticing anything else at the moment.

 

[Ried]

I understand the delay.

Let's see if the online scan picks up on anything. Also, please run dds.scr again and post a fresh dds.txt along with the Kaspersky results.

 

[von wilhelm]

Sorry again for the late reply. I cannot run Kaspersky because my Java installation appears to be a total mess. I can only install up to update 16 - once I try to install 17 or later, it asks for the file "jre 1.6.0_13-c.msi. I cannot find reference to that installer file anywhere on the web. I can't move any farther with java either on IE or Mozilla.