1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Active] cant get HJT to run

Discussion in 'Spyware, Adware, Viruses and Malware Removal' started by whoistony, Feb 15, 2010.

  1. whoistony

    whoistony Techie7 New Member

    hey guys I am trying to fix my girlfriend's laptop for her but can't HJT to run. She has XP on her computer and is infected xp antispyware and advanced defender among others. I'm trying to keep her offline; going online is nearly impossible anyways, so am trying to move everything I need over on Flash drive. I can't run executable files or taskmanager, Safe Mode has worked every once-in-a-while, but to no avail lately (I just get a blue screen and it restarts). Any help would be appreciated I really need a jumping off point.
     
  2. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Download following three programs on good computer, move them to bad computer and run them in very same sequence...

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe

    * Double-click on the Rkill desktop icon to run the tool.
    * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    * If not, delete the file, then download and use the one provided in Link 2.
    * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    * Do not reboot until instructed.
    * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following.

    Now download and Run exeHelper.

    * Please download exeHelper from Raktor to your desktop.
    * Double-click on exeHelper.com to run the fix.
    * A black window should pop up, press any key to close once the fix is completed.
    * A log file named log.txt will be created in the directory where you ran exeHelper.com
    * Attach the log.txt file to your next message.
    [/LIST]


    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    Please download ComboFix from Here or Here to your Desktop.


    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

    • Please, never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.


    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. whoistony

    whoistony Techie7 New Member

    Thanks for the help broni, when I try to run the fixes it seems like I have a very small window to do so. After the computer logs me in the desktop becomes blue. This happens after maybe a minute or less has passed, and once this happens I can still open files but they only flash up for a split second and then go away. I have gotten rkill to run up to the point where it says something like "terminating known malware processes". I can still navigate through my computer files just fine. Most visible spyware is gone once the desktop "resets" except for a little popup from advanced defender which warns me that whatever I am trying to run (rkill, exehelper, combofix, etc) is infected with a worm. Here is what my (probably incomplete) exehelperlog looked like.

    exeHelper by Raktor
    exeHelper by Raktor
    Build 20091220
    exeHelper by Raktor
    Build 20091220
    Run at 00:49:07 on 02/16/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Killed process msa.exe
    Checking for bad files...
    Deleting file C:\WINDOWS\system32\41.exe
    Error deleting C:\WINDOWS\system32\41.exe - Set for removal on reboot - PLEASE REBOOT
    Deleting file C:\WINDOWS\msa.exe
    Deleting file C:\WINDOWS\system32\sdra64.exe
    Error deleting C:\WINDOWS\system32\sdra64.exe - Set for removal on reboot - PLEASE REBOOT
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com

    As for combofix I get the green bar to load up, but the next screen asking for confirmation only flickers up and disappears.

    again, thank you for the help.
     
  4. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Download TDSSKiller and save it to your Desktop.
    Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
    Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
     
  5. whoistony

    whoistony Techie7 New Member

    Sorry for the delay Bruni but my girlfriend got impatient and took her laptop back. She started running all the programs willy nilly and somehow got it to a state of usability (hopefully it's not damaged further!) I got her to run hijack this and message me the log over facebook. (I think that's the reason for the the facebook redirects in all the links. Anti-spam measure?)

    Logfile of Trend Micro HijackThis v2.0.3 (BETA)
    Scan saved at 9:49:06 PM, on 2/21/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.Leaving Facebook... | Facebook)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx.exe
    c:\program files\microsoft visual studio\bin\ir41_qcx .exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\program files\microsoft visual studio\bin\ir41_qcx .exe
    C:\WINDOWS\system32\ctfmon.exe
    c:\program files\microsoft office\office12\groovemonitor .exe
    c:\program files\java\jre1.6.0_02\bin\jusched .exe
    c:\program files\lexmark 3100 series\lxbrbmgr .exe
    c:\progra~1\lexmar~1\lxbrksk .exe
    c:\program files\common files\pure networks shared\platform\nmctxth .exe
    c:\program files\linksys\linksys wireless manager\linksyswirelessmanager .exe
    c:\program files\lexmark 3100 series\lxbrbmon.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\Program Files\Wireless\Client Manager\CMAGS.EXE
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\Flock\flock\flock.exe
    C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Leaving Facebook... | Facebook
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Leaving Facebook... | Facebook
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Leaving Facebook... | Facebook
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Leaving Facebook... | Facebook
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Leaving Facebook... | Facebook
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8383
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
    O2 - BHO: (no name) - {362d5e76-83be-42e5-9b93-17766c2e9749} - tokivafa.dll (file missing)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
    O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
    O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
    O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
    O4 - HKLM\..\Run: [Linksys Wireless Manager] "C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
    O4 - HKLM\..\Run: [Ndaperutewotevig] rundll32.exe "C:\WINDOWS\urexafesujoxumu.dll",Startup
    O4 - HKLM\..\Run: [yaruninupo] Rundll32.exe "tijayefe.dll",s
    O4 - HKLM\..\Run: [bosinuvak] Rundll32.exe "c:\windows\system32\feyimupa.dll",a
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
    O4 - HKCU\..\Run: [(ccEvtMgr) ] "C:\program files\microsoft visual studio\bin\ir41_qcx .exe" /set
    O4 - HKCU\..\Run: [adobeupdater ] c:\program files\common files\adobe\updater5\adobeupdater .exe
    O4 - HKCU\..\Run: [adobeupdater ] c:\program files\common files\adobe\updater5\adobeupdater .exe
    O4 - HKCU\..\Run: [adobeupdater ] c:\program files\common files\adobe\updater5\adobeupdater .exe
    O4 - HKCU\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\rvlh9ohz36.dll, HUI_proc
    O4 - HKCU\..\Run: [adobeupdater ] c:\program files\common files\adobe\updater5\adobeupdater .exe
    O4 - HKCU\..\Run: [adobeupdater ] c:\program files\common files\adobe\updater5\adobeupdater .exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\rvlh9ohz36.dll, HUI_proc (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\rvlh9ohz36.dll, HUI_proc (User 'Default user')
    O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
    O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: VPN Client.lnk = ?
    O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    O4 - Global Startup: Wireless Client Manager.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://www.facebook.com/l/094dd;*.buy-internetsecurity10.com
    O15 - Trusted Zone: http://www.facebook.com/l/094dd;*.buy-is2010.com
    O15 - Trusted Zone: http://www.facebook.com/l/094dd;*.is-software-download.com
    O15 - Trusted Zone: http://www.facebook.com/l/094dd;*.is-software-download25.com
    O15 - Trusted Zone: http://www.facebook.com/l/094dd;*.is10-soft-download.com
    O15 - Trusted Zone: http://www.facebook.com/l/094dd;*.buy-internetsecurity10.com (HKLM)
    O15 - Trusted Zone: http://www.facebook.com/l/094dd;*.buy-is2010.com (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1AA541AA-13A9-447A-88A3-7AEFD8D20918}: NameServer = http://www.facebook.com/l/094dd;83.149.115.157,4.2.2.1,192.168.0.1 205.171.3.25
    O17 - HKLM\System\CCS\Services\Tcpip\..\{20E0C437-AF66-41D2-AE8E-D6341CA1BEF1}: NameServer = http://www.facebook.com/l/094dd;83.149.115.157,4.2.2.1
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AFDF50BE-5E36-4ACA-908E-0B3B8189F802}: NameServer = http://www.facebook.com/l/094dd;93.188.164.119,93.188.166.93
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CF5E8574-21B3-4F63-94E4-667C1C152AA4}: NameServer = http://www.facebook.com/l/094dd;83....ok.com/l/094dd;1,93.188.164.119,93.188.166.93
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = http://www.facebook.com/l/094dd;93.188.164.119,93.188.166.93
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O21 - SSODL: mazakesom - {dc2ed2e4-96d3-4794-8f18-6cd55707722d} - c:\windows\system32\feyimupa.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: tokatiluy - {dc2ed2e4-96d3-4794-8f18-6cd55707722d} - c:\windows\system32\feyimupa.dll
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 11306 bytes
     
  6. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Print these instructions out.


    ***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scan.***

    STEP 1. Download Malwarebytes' Anti-Malware: Malwarebytes.org to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 2. Download GMER: GMER - Rootkit Detector and Remover, by clicking on Download EXE button.
    Alternative downloads:
    - |MG| GMER 1.0.15.15281 Download
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    RESTART COMPUTER

    STEP 3.
    Post fresh HijackThis log.
    NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  7. whoistony

    whoistony Techie7 New Member

    malwarebytes will not run, even after a clean install. The error looks like this.

    Unable to execute file
    C:/documents...mbam.exe
    createprocess failed; code 2
    the system cannot find the file specified

    it pops up a few times in the installation process

    She also gets a rundll error (missing?) upon startup.

    EDIT: I found a workaround for it and will post the information you needed as soon as I can.
     
    Last edited: Feb 22, 2010
  8. broni

    broni Malware Annihilator Techie7 Moderator Head Security

  9. whoistony

    whoistony Techie7 New Member

    Malwarebytes' Anti-Malware 1.44
    Database version: 3777
    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    2/22/2010 4:57:08 PM
    mbam-log-2010-02-22 (16-57-08).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 180801
    Time elapsed: 1 hour(s), 30 minute(s), 38 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 3
    Registry Keys Infected: 25
    Registry Values Infected: 24
    Registry Data Items Infected: 14
    Folders Infected: 0
    Files Infected: 191

    Memory Processes Infected:
    C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx.exe (Malware.Packer.Gen) -> Unloaded process successfully.

    Memory Modules Infected:
    C:\WINDOWS\system32\tokivafa.dll (Trojan.Vundo.H) -> Delete on reboot.
    c:\WINDOWS\system32\sajijade.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\dlgfsvcr.dll (Trojan.Hiloti) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{362d5e76-83be-42e5-9b93-17766c2e9749} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{362d5e76-83be-42e5-9b93-17766c2e9749} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{5303591c-b7ec-4404-bdd5-81f2bc4fc5dc} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{218cb45f-20b6-11d2-8e17-0000f803a446} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{06f6ea9d-88b0-45a9-9f26-ce0898d9ea1c} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{218cb451-20b6-11d2-8e17-0000f803a446} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{218cb453-20b6-11d2-8e17-0000f803a446} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{218cb454-20b6-11d2-8e17-0000f803a446} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{218cb455-20b6-11d2-8e17-0000f803a446} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{218cb456-20b6-11d2-8e17-0000f803a446} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{28e28123-7dc5-45d3-860e-8ee1c3681bd5} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{35edd1cc-1a8c-11d2-b49d-00c04fb90376} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{35edd1cd-1a8c-11d2-b49d-00c04fb90376} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{659ecad8-a5c0-11d2-a440-00c04f795683} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{659ecad9-a5c0-11d2-a440-00c04f795683} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{6fd143e6-20a5-11d2-91ad-0000f81fefc9} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{82e11592-20f5-11d2-91ad-0000f81fefc9} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{97c3808a-eca1-4ca6-8d09-122a3cc54b3b} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{c9a6a6b6-9bc1-43a5-b06b-e58874eebc96} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{cb643558-61cd-42b2-a9a5-496a7884ad61} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{f3a614dd-abe0-11d2-a441-00c04f795683} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{ff55d627-cf5b-40de-850f-62d20bc241c8} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\symantec event manager (ccevtmgr) (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\TOY5KNQ8OC (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bosinuvak (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{5303591c-b7ec-4404-bdd5-81f2bc4fc5dc} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\yilufonis (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\igfxtray (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hotkeyscmds (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prismsvr.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe reader speed launcher (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobeupdater (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobeupdater (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobeupdater (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobeupdater (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobeupdater (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nmctxth (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Symantec Shared\Security Center\usrprmpt.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssc_userprompt (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nav cfgwiz (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\quicktime task (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\linksys wireless manager (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msmsgs (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\groovemonitor (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sunjavaupdatesched (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lexmark 3100 series (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yaruninupo (Trojan.Vundo) -> Delete on reboot.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remote system protection (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: dlgfsvcr.dll -> Delete on reboot.
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-is2010.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-is2010.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is10-soft-download.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-Internetsecurity10.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-Internetsecurity10.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download25.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1aa541aa-13a9-447a-88a3-7aefd8d20918}\NameServer (Trojan.DNSChanger) -> Data: 83.149.115.157,4.2.2.1,192.168.0.1 205.171.3.25 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{20e0c437-af66-41d2-ae8e-d6341ca1bef1}\NameServer (Trojan.DNSChanger) -> Data: 83.149.115.157,4.2.2.1 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{afdf50be-5e36-4aca-908e-0b3b8189f802}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.119,93.188.166.93 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cf5e8574-21b3-4f63-94e4-667c1c152aa4}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.164.119,93.188.166.93 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cf5e8574-21b3-4f63-94e4-667c1c152aa4}\NameServer (Trojan.DNSChanger) -> Data: 83.149.115.157,4.2.2.1,93.188.164.119,93.188.166.93 -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\tokivafa.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\bosesufe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\feyimupa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\fokivilo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\jukabama.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\kidohili.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\misahavu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\numagitu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\royotago.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\sajijade.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\sebaruja.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\sobipore.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\dlgfsvcr.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\igfxtray.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\hkcmd.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\prismsvr.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\SymNetDrv\sndmon.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Lexmark 3100 Series\lxbrksk.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\cdgxgtxp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\clbwkit.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\mpgmrc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\owhjo.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\scoamk.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\viqu.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
    C:\wgtqgxch.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\rundll32 .exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\rundll32.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\av.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\Program Files\Adobe\acrotray .exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\Program Files\Advanced Defender\advanceddefender .exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\Program Files\Advanced Defender\advanceddefender.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\js.mui.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\wmpscfgs.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\Program Files\InternetSecurity2010\is2010 .exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\Program Files\InternetSecurity2010\is2010.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\msa.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\app_dll.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\dewezuwa.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\helper32.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\hkcmd .exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\igfxtray .exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\lkmj.bdo.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\onyc.ffo.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\prismsvr .exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\reyahezi.dll.vir (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\rvlh9ohz36.dll.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\smss32 .exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\smss32.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\t74lfhd9g.dll.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\tijayefe.dll.vir (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon32.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\wlhdble.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\00003021.tmp.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\00004713.tmp.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\rundll32.exe.delme301 (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Adobe\1536718.old (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Program Files\Adobe\2907281.old (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Program Files\Adobe\3249000.old (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Common Files\Adobe\Updater5\adobeupdater .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Common Files\Adobe\Updater5\adobeupdater .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Common Files\Adobe\Updater5\adobeupdater .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Common Files\Adobe\Updater5\adobeupdater .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Common Files\Adobe\Updater5\adobeupdater.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Common Files\Symantec Shared\Security Center\usrprmpt.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Norton AntiVirus\cfgwiz.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\QuickTime\qttask.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Linksys\Linksys Wireless Manager\linksyswirelessmanager.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Messenger\msmsgs.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Microsoft Office\Office12\groovemonitor.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Internet Explorer\js.mui (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Internet Explorer\wmpscfgs.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000029.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000031.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000032.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000033.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000052.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000053.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000055.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000056.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000057.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000058.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000059.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000060.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000061.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000054.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000198.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000216.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000252.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001262.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000186.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000187.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000188.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000190.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000191.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000192.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000193.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000194.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000195.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000196.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000197.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000199.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000200.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000214.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000215.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000217.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000218.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000219.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000220.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000221.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000222.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000223.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000224.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000225.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000226.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000227.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000253.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000254.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000255.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000256.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000257.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000258.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000259.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000260.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000261.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000262.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000263.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000264.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000265.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001259.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001260.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001261.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001263.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001264.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001265.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001266.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001267.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001268.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001269.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001270.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001271.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001272.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\app_dll.dll.2891375.old (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\hkcmd .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ruvaluno.exe (Rogue.Installer) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\igfxtray .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\prismsvr .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\sdra64.exe.vir (Malware.Mod) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ECUW01ZR\eH4d42d66dV0100f060006Rfdf63ca4102T06c243ef203l0409Ke5e8cf9a30dP000101080[1] (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\PD6385EF\eH4d42d66dV0100f060006Ref8058fc102T06c24572203l0409Kceb7c8c530dP000101080[1] (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\WINDOWS\temp\win14.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\WINDOWS\temp\win4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\WINDOWS\temp\winD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\WINDOWS\temp\wmpscfgs.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

    GMER


    GMER 1.0.15.15281 - GMER - Rootkit Detector and Remover
    Rootkit scan 2010-02-22 18:06:37
    Windows 5.1.2600 Service Pack 2
    Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwairfow.sys


    ---- System - GMER 1.0.15 ----

    SSDT 827B0CA8 ZwConnectPort
    SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF857487E]
    SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF8574BFE]

    ---- Kernel code sections - GMER 1.0.15 ----

    init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF70C3F80]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\SearchIndexer.exe[1584] kernel32.dll!WriteFile 7C810D97 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip Lbd.sys (Boot Driver/Lavasoft AB)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs reyahezi.dll c:\windows\system32\feyimupa.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

    ---- Files - GMER 1.0.15 ----

    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02417U.BMP 31968 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02466U.BMP 31752 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02470U.BMP 18684 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02503U.BMP 31968 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02567J.JPG 33945 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02736G.GIF 25499 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02736U.BMP 32400 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02738U.BMP 33048 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02740G.GIF 24363 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02740U.BMP 32616 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02742G.GIF 20645 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP 31968 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02743G.GIF 28038 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02746G.GIF 24187 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02746U.BMP 32132 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02748G.GIF 24720 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02748U.BMP 32400 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02749G.GIF 34709 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02270_.WMF 2664 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02276_.WMF 12516 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02413_.WMF 96796 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02431_.WMF 1648 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02437_.WMF 1460 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02439_.WMF 1284 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02464_.WMF 6740 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02465_.WMF 1396 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02578_.WMF 6602 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02617_.WMF 24556 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02790_.WMF 32590 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02791_.WMF 17164 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02793_.WMF 23408 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02794_.WMF 19322 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02862_.WMF 75310 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02886_.WMF 38522 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02958_.WMF 8948 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SPACE_01.MID 4219 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SPRNG_01.MID 6700 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\STUBBY1.WMF 3030 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\STUBBY2.WMF 2582 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SUMER_01.MID 14044 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SWEST_01.MID 8501 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SY00110_.WMF 1264 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SY00127_.WMF 6212 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SY00132_.WMF 2076 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SY00170_.WMF 5138 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SY00560_.WMF 1292 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SY00642_.WMF 1912 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SY00788_.WMF 8340 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SY00792_.WMF 12252 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SY00795_.WMF 10084 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00364_.WMF 6472 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00367_.WMF 20970 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00373_.WMF 13064 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00382_.WMF 10228 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00390_.WMF 2940 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00391_.WMF 2088 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00416_.WMF 28750 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00423_.WMF 5180 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00444_.WMF 5444 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00452_.WMF 2168 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00453_.WMF 23020 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00454_.WMF 2924 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00466_.WMF 2760 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00476_.WMF 4032 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00479_.WMF 23304 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00483_.WMF 11192 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00486_.WMF 7768 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00505_.WMF 2724 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00513_.WMF 5924 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00555_.WMF 9730 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00603_.WMF 25184 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00610_.WMF 40064 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00629_.WMF 4070 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00633_.WMF 20486 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00638_.WMF 6842 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00656_.WMF 1412 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TR00126_.WMF 4660 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TR00172_.WMF 9052 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TR00178_.WMF 8514 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TR00232_.WMF 27840 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TR00233_.WMF 31818 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TR00402_.WMF 2272 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TR00482_.WMF 8276 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TR00494_.WMF 6144 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\URBAN_01.MID 13358 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\VCTRN_01.MID 4961 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01219_.GIF 740 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01237_.GIF 363 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01238_.GIF 359 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01239_.GIF 410 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01240_.GIF 333 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01241_.GIF 386 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01242_.GIF 344 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01243_.GIF 431 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01244_.GIF 467 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01245_.GIF 341 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01246_.GIF 462 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01253_.GIF 4087 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01268_.GIF 427 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01292_.GIF 597 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01293_.GIF 679 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01294_.GIF 685 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG 30895 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG 29776 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG 41795 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG 42053 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03379I.JPG 11170 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG 12831 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG 48558 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PRRT.WMF 3830 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PRRTINST.WMF 31404 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PSRETRO.WMF 982 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PSSKETLG.WMF 3594 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PSSKETSM.WMF 1910 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PSWAVY.WMF 2834 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\RE00006_.WMF 1772 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\RECYCLE.WMF 3350 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\ROAD_01.MID 5983 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SAFRI_01.MID 10122 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SCHOL_02.MID 5058 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SHOW_01.MID 6392 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL00256_.WMF 10762 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL00260_.WMF 31908 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL00268_.WMF 3932 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL00286_.WMF 7596 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL00298_.WMF 4712 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL00308_.WMF 8416 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL00345_.WMF 2788 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL00452_.WMF 1344 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL00712_.WMF 7608 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL01040_.WMF 3292 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL01041_.WMF 1548 bytes
    File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL01394_.WMF 6916 bytes

    ---- EOF - GMER 1.0.15 ----



    HJT


    Logfile of Trend Micro HijackThis v2.0.3 (BETA)
    Scan saved at 6:25:12 PM, on 2/22/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\program files\microsoft visual studio\bin\ir41_qcx .exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\Program Files\Wireless\Client Manager\CMAGS.EXE
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Gateway Official Site: Notebooks, Laptops, Desktops, All-in-Ones, Displays, Monitors, Accessories
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Microsoft Security | Computer Security | Malicious Software
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8383
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
    O4 - HKLM\..\Run: [Ndaperutewotevig] rundll32.exe "C:\WINDOWS\urexafesujoxumu.dll",Startup
    O4 - HKCU\..\Run: [(ccEvtMgr) ] "C:\program files\microsoft visual studio\bin\ir41_qcx .exe" /set
    O4 - HKCU\..\Run: [adobeupdater ] C:\program files\common files\adobe\updater5\adobeupdater .exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\rvlh9ohz36.dll, HUI_proc (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\rvlh9ohz36.dll, HUI_proc (User 'Default user')
    O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
    O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: VPN Client.lnk = ?
    O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    O4 - Global Startup: Wireless Client Manager.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.119,93.188.166.93
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 7502 bytes

    Thanks in advance, I know it's a lot to look through!
     
  10. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Delete any Combofix file, if you have it on your computer.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  11. whoistony

    whoistony Techie7 New Member

    ComboFix 10-02-24.01 - Administrator 02/24/2010 16:57:05.4.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.345 [GMT -6:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\rundll32 .exe
    c:\windows\Tasks\zjabuhvo.job

    .
    ((((((((((((((((((((((((( Files Created from 2010-01-24 to 2010-02-24 )))))))))))))))))))))))))))))))
    .

    2010-02-21 20:52 . 2010-02-21 20:52 8 ----a-w- c:\program files\wpp.exe
    2010-02-21 01:58 . 2010-02-21 01:58 552 ----a-w- c:\windows\system32\d3d8caps.dat
    2010-02-21 01:58 . 2010-02-21 02:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-02-21 01:31 . 2010-02-21 01:31 -------- d-----w- c:\program files\TrendMicro
    2010-02-16 22:09 . 2010-02-16 22:09 4 ----a-w- c:\program files\323843.dat
    2010-02-16 22:03 . 2010-02-16 22:03 4 ----a-w- c:\program files\1694484.dat
    2010-02-16 06:39 . 2010-02-16 06:39 4 ----a-w- c:\program files\4254453.dat
    2010-02-15 20:40 . 2010-02-17 19:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
    2010-02-15 01:14 . 2010-02-15 01:14 4 ----a-w- c:\program files\595109.dat
    2010-02-14 04:10 . 2010-02-14 04:10 4 ----a-w- c:\program files\1753671.dat
    2010-02-14 02:38 . 2010-02-21 00:30 0 ----a-w- c:\windows\Mvociyemamer.bin
    2010-02-14 02:38 . 2010-02-14 02:38 120 ----a-w- c:\windows\Etesevozujit.dat
    2010-02-13 03:22 . 2010-02-13 01:56 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-02-13 01:56 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-02-13 01:50 . 2010-02-13 01:51 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
    2010-02-12 22:26 . 2010-02-12 22:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
    2010-02-09 18:28 . 2001-08-17 19:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
    2010-02-09 18:28 . 2001-08-17 19:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
    2010-02-09 18:28 . 2001-08-17 20:02 9600 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
    2010-02-09 18:28 . 2001-08-17 20:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-02-24 22:41 . 2007-10-07 02:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2010-02-24 22:41 . 2007-10-07 02:12 -------- d-----w- c:\program files\Norton AntiVirus
    2010-02-24 22:32 . 2007-10-07 02:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
    2010-02-24 22:32 . 2007-10-07 02:56 -------- d-----w- c:\program files\SymNetDrv
    2010-02-22 22:57 . 2009-01-05 16:28 -------- d-----w- c:\program files\Lexmark 3100 Series
    2010-02-22 22:56 . 2008-05-19 22:25 -------- d-----w- c:\program files\QuickTime
    2010-02-22 21:19 . 2008-10-17 17:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-02-21 01:31 . 2010-02-21 01:31 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
    2010-02-21 00:33 . 2004-08-03 22:59 95360 ------w- c:\windows\system32\drivers\atapi.sys
    2010-02-14 01:11 . 2007-10-07 02:03 84336 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-02-13 01:56 . 2010-02-13 01:56 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\threatwork.exe
    2010-02-13 01:56 . 2010-02-13 01:56 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lsdelete.exe
    2010-02-13 01:56 . 2010-02-13 01:56 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavamessage.dll
    2010-02-13 01:56 . 2010-02-13 01:56 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavalicense.dll
    2010-02-13 01:56 . 2010-02-13 01:56 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\aawapi.dll
    2010-02-13 01:56 . 2010-02-13 01:56 389784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\UpdateManager.dll
    2010-02-13 01:56 . 2010-02-13 01:56 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\ShellExt.dll
    2010-02-13 01:55 . 2010-02-13 01:55 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Resources.dll
    2010-02-13 01:55 . 2010-02-13 01:55 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\RPAPI.dll
    2010-02-13 01:55 . 2010-02-13 01:55 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\PrivacyClean.dll
    2010-02-13 01:55 . 2010-02-13 01:55 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\CEAPI.dll
    2010-02-13 01:55 . 2010-02-13 01:55 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AutoLaunch.exe
    2010-02-13 01:55 . 2010-02-13 01:55 816784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareCommand.exe
    2010-02-13 01:55 . 2010-02-13 01:55 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
    2010-02-13 01:55 . 2010-02-13 01:55 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
    2010-02-13 01:55 . 2010-02-13 01:55 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWTray.exe
    2010-02-13 01:55 . 2010-02-13 01:55 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWService.exe
    2010-02-12 22:31 . 2009-09-15 18:35 143976 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\uninstall.exe
    2010-02-12 22:31 . 2007-10-17 00:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Move Networks
    2010-02-12 22:31 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071701000002.dll
    2010-02-12 22:31 . 2010-02-12 22:30 1794456 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
    2010-02-12 21:54 . 2007-10-09 20:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-01-26 02:33 . 2010-01-26 02:33 1924744 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
    2010-01-20 18:14 . 2010-02-13 01:32 52224 ----a-w- c:\documents and settings\Administrator\Application Data\Flock\Browser\Profiles\ud1rn5ne.default\extensions\{a0729639-d831-46c9-811b-9b0aa79fb45a}\components\FFExternalAlert.dll
    2010-01-20 18:14 . 2010-02-13 01:32 101376 ----a-w- c:\documents and settings\Administrator\Application Data\Flock\Browser\Profiles\ud1rn5ne.default\extensions\{a0729639-d831-46c9-811b-9b0aa79fb45a}\components\RadioWMPCore.dll
    2010-01-07 22:07 . 2008-10-17 17:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-07 22:07 . 2008-10-17 17:22 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-01 02:14 . 2007-10-09 21:15 -------- d-----w- c:\program files\Microsoft Works
    2009-12-31 16:14 . 2007-10-07 03:41 352640 ----a-w- c:\windows\system32\drivers\srv.sys
    2009-12-30 02:01 . 2009-12-30 02:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\ZoomBrowser EX
    2009-12-30 01:59 . 2009-12-30 01:48 -------- d-----w- c:\program files\Canon
    2009-12-30 01:50 . 2009-12-30 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
    2009-12-30 01:45 . 2009-12-30 01:45 -------- d-----w- c:\program files\Common Files\Canon
    2009-12-29 00:06 . 2009-12-29 00:06 -------- d-----w- c:\program files\Linksys
    2009-12-29 00:05 . 2009-12-29 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks
    2009-12-29 00:05 . 2009-12-29 00:05 -------- d-----w- c:\program files\Common Files\Pure Networks Shared
    2009-12-22 05:42 . 2007-10-07 03:41 662016 ------w- c:\windows\system32\wininet.dll
    2009-12-22 05:42 . 2007-10-07 03:40 81920 ----a-w- c:\windows\system32\ieencode.dll
    2009-12-16 12:58 . 2007-10-07 01:52 343040 ----a-w- c:\windows\system32\mspaint.exe
    2009-12-14 07:35 . 2007-10-07 03:40 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2009-12-08 18:55 . 2007-10-07 03:41 2180352 ------w- c:\windows\system32\ntoskrnl.exe
    2009-12-08 18:19 . 2004-08-03 22:59 2057728 ------w- c:\windows\system32\ntkrnlpa.exe
    2009-12-07 14:10 . 2010-02-13 01:50 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
    2009-12-04 14:41 . 2007-10-07 03:41 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2009-11-27 17:33 . 2007-10-07 03:41 1291264 ----a-w- c:\windows\system32\quartz.dll
    2009-11-27 17:33 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll
    2009-11-27 16:37 . 2007-10-07 03:41 28672 ----a-w- c:\windows\system32\msvidc32.dll
    2009-11-27 16:37 . 2007-10-07 03:41 11264 ----a-w- c:\windows\system32\msrle32.dll
    2009-11-27 16:37 . 2007-10-07 03:40 84992 ----a-w- c:\windows\system32\avifil32.dll
    2009-11-27 16:37 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
    2009-11-27 16:37 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
    .
    Code:
    <pre>
    c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
    c:\program files\Common Files\Adobe\Updater5\adobeupdater     .exe
    c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth .exe
    c:\program files\Common Files\Symantec Shared\ccapp .exe
    c:\program files\Common Files\Symantec Shared\Security Center\usrprmpt .exe
    c:\program files\Java\jre1.6.0_02\bin\jusched .exe
    c:\program files\Lexmark 3100 Series\lxbrbmgr .exe
    c:\program files\Lexmark 3100 Series\lxbrksk .exe
    c:\program files\Linksys\Linksys Wireless Manager\linksyswirelessmanager .exe
    c:\program files\Messenger\msmsgs .exe
    c:\program files\Microsoft Office\Office12\groovemonitor .exe
    c:\program files\Microsoft Visual Studio\bin\ir41_qcx            .exe
    c:\program files\Norton AntiVirus\cfgwiz .exe
    c:\program files\QuickTime\qttask                       .exe
    c:\program files\SymNetDrv\sndmon .exe
    </pre>
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "(ccEvtMgr) "="c:\program files\microsoft visual studio\bin\ir41_qcx .exe" [2008-10-17 9472]
    "adobeupdater "="c:\program files\common files\adobe\updater5\adobeupdater .exe" [2007-03-01 2321600]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2010-02-24 111840]
    "LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [N/A]
    "Ndaperutewotevig"="c:\windows\urexafesujoxumu.dll" [N/A]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Remote System Protection"="c:\windows\system32\rvlh9ohz36.dll" [N/A]

    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    VPN Client.lnk - c:\windows\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2008-8-30 6144]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    Wireless Client Manager.lnk - c:\program files\Wireless\Client Manager\CMAGS.EXE [2007-10-6 323584]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\dplaysvr.exe"=
    "c:\\Program Files\\Hasbro Interactive\\Scrabble v2.0\\Scrabble v2.0.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\WINDOWS\\system32\\taskmgr.exe"=
    "c:\\Program Files\\Lexmark 3100 Series\\lxbrbmgr .exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8383:TCP"= 8383:TCP:TINYPROXY
    "53:TCP"= 53:TCP:TINYPROXY

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/12/2010 7:56 PM 64288]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 7:19 AM 1181328]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/8/2007 4:13 PM 24652]
    S0 vqtu;vqtu;c:\windows\system32\drivers\ydnrcatk.sys --> c:\windows\system32\drivers\ydnrcatk.sys [?]
    S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [12/28/2009 6:03 PM 644096]
    S3 wlags48d;Agere Wireless PCCard Service;c:\windows\system32\drivers\wlags48d.sys [10/6/2007 8:24 PM 154112]
    S4 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [10/6/2007 9:42 PM 241805]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-02-24 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:55]

    2010-02-24 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:55]

    2010-02-24 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:55]

    2010-02-24 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:55]

    2010-02-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:55]

    2010-02-11 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

    2007-10-07 c:\windows\Tasks\Symantec NetDetect.job
    - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-10-07 22:26]

    2010-02-24 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 03:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uDefault_Search_URL = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/
    mStart Page = hxxp://www.gatewaybiz.com
    mSearch Bar = hxxp://www.google.com/
    mSearchMigratedDefaultURL = hxxp://www.google.com/
    uInternet Settings,ProxyServer = http=127.0.0.1:8383
    uInternet Settings,ProxyOverride = *.local;<local>
    uSearchAssistant = hxxp://www.google.com/
    mSearchURL = hxxp://www.google.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\uiyy21ge.default\
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 8383
    FF - prefs.js: network.proxy.type - 1
    FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071503000010.dll
    FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071701000002.dll
    FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2010-02-24 17:09
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2308)
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\LEXBCES.EXE
    c:\windows\system32\LEXPPS.EXE
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    c:\windows\system32\SearchIndexer.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
    .
    **************************************************************************
    .
    Completion time: 2010-02-24 17:20:39 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-02-24 23:20
    ComboFix2.txt 2010-02-21 03:06
    ComboFix3.txt 2010-02-21 01:27

    Pre-Run: 31,080,927,232 bytes free
    Post-Run: 31,061,700,608 bytes free

    - - End Of File - - E1F8ADCD5565E4C74743CDEB89130DD8








    Logfile of Trend Micro HijackThis v2.0.3 (BETA)
    Scan saved at 5:39:13 PM, on 2/24/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    C:\program files\microsoft visual studio\bin\ir41_qcx .exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\Program Files\Wireless\Client Manager\CMAGS.EXE
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Flock\flock\flock.exe
    C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Gateway Official Site: Notebooks, Laptops, Desktops, All-in-Ones, Displays, Monitors, Accessories
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Microsoft Security | Computer Security | Malicious Software
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8383
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
    O4 - HKLM\..\Run: [Ndaperutewotevig] rundll32.exe "C:\WINDOWS\urexafesujoxumu.dll",Startup
    O4 - HKCU\..\Run: [(ccEvtMgr) ] "C:\program files\microsoft visual studio\bin\ir41_qcx .exe" /set
    O4 - HKCU\..\Run: [adobeupdater ] C:\program files\common files\adobe\updater5\adobeupdater .exe
    O4 - HKUS\S-1-5-18\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\rvlh9ohz36.dll, HUI_proc (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\rvlh9ohz36.dll, HUI_proc (User 'Default user')
    O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
    O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: VPN Client.lnk = ?
    O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    O4 - Global Startup: Wireless Client Manager.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.119,93.188.166.93
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 6027 bytes
     
  12. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.


    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\program files\wpp.exe
    c:\program files\323843.dat
    c:\program files\1694484.dat
    c:\program files\4254453.dat
    c:\program files\595109.dat
    c:\program files\1753671.dat
    c:\windows\Mvociyemamer.bin
    c:\windows\Etesevozujit.dat
    c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
    c:\program files\Common Files\Adobe\Updater5\adobeupdater     .exe
    c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth .exe
    c:\program files\Common Files\Symantec Shared\ccapp .exe
    c:\program files\Common Files\Symantec Shared\Security Center\usrprmpt .exe
    c:\program files\Java\jre1.6.0_02\bin\jusched .exe
    c:\program files\Lexmark 3100 Series\lxbrbmgr .exe
    c:\program files\Lexmark 3100 Series\lxbrksk .exe
    c:\program files\Linksys\Linksys Wireless Manager\linksyswirelessmanager .exe
    c:\program files\Messenger\msmsgs .exe
    c:\program files\Microsoft Office\Office12\groovemonitor .exe
    c:\program files\Microsoft Visual Studio\bin\ir41_qcx            .exe
    c:\program files\Norton AntiVirus\cfgwiz .exe
    c:\program files\QuickTime\qttask                       .exe
    c:\program files\SymNetDrv\sndmon .exe
    c:\windows\urexafesujoxumu.dll
    c:\windows\system32\rvlh9ohz36.dll
    c:\windows\system32\drivers\ydnrcatk.sys
    
    
    Folder::
    
    Driver::
    vqtu
    
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Ndaperutewotevig"=-
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Remote System Protection"=-
    
    RegLockDel::
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
  13. whoistony

    whoistony Techie7 New Member

    ComboFix 10-02-24.03 - Administrator 02/25/2010 12:59:28.5.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.300 [GMT -6:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

    FILE ::
    "c:\program files\1694484.dat"
    "c:\program files\1753671.dat"
    "c:\program files\323843.dat"
    "c:\program files\4254453.dat"
    "c:\program files\595109.dat"
    "c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe"
    "c:\program files\Common Files\Adobe\Updater5\adobeupdater .exe"
    "c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth .exe"
    "c:\program files\Common Files\Symantec Shared\ccapp .exe"
    "c:\program files\Common Files\Symantec Shared\Security Center\usrprmpt .exe"
    "c:\program files\Java\jre1.6.0_02\bin\jusched .exe"
    "c:\program files\Lexmark 3100 Series\lxbrbmgr .exe"
    "c:\program files\Lexmark 3100 Series\lxbrksk .exe"
    "c:\program files\Linksys\Linksys Wireless Manager\linksyswirelessmanager .exe"
    "c:\program files\Messenger\msmsgs .exe"
    "c:\program files\Microsoft Office\Office12\groovemonitor .exe"
    "c:\program files\Microsoft Visual Studio\bin\ir41_qcx .exe"
    "c:\program files\Norton AntiVirus\cfgwiz .exe"
    "c:\program files\QuickTime\qttask .exe"
    "c:\program files\SymNetDrv\sndmon .exe"
    "c:\program files\wpp.exe"
    "c:\windows\Etesevozujit.dat"
    "c:\windows\Mvociyemamer.bin"
    "c:\windows\system32\drivers\ydnrcatk.sys"
    "c:\windows\system32\rvlh9ohz36.dll"
    "c:\windows\urexafesujoxumu.dll"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\1694484.dat
    c:\program files\1753671.dat
    c:\program files\323843.dat
    c:\program files\4254453.dat
    c:\program files\595109.dat
    c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
    c:\program files\Common Files\Adobe\Updater5\adobeupdater .exe
    c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth .exe
    c:\program files\Common Files\Symantec Shared\ccapp .exe
    c:\program files\Common Files\Symantec Shared\Security Center\usrprmpt .exe
    c:\program files\Java\jre1.6.0_02\bin\jusched .exe
    c:\program files\Lexmark 3100 Series\lxbrbmgr .exe
    c:\program files\Lexmark 3100 Series\lxbrksk .exe
    c:\program files\Linksys\Linksys Wireless Manager\linksyswirelessmanager .exe
    c:\program files\Messenger\msmsgs .exe
    c:\program files\Microsoft Office\Office12\groovemonitor .exe
    c:\program files\Microsoft Visual Studio\bin\ir41_qcx .exe
    c:\program files\Norton AntiVirus\cfgwiz .exe
    c:\program files\QuickTime\qttask .exe
    c:\program files\SymNetDrv\sndmon .exe
    c:\program files\wpp.exe
    c:\windows\Etesevozujit.dat
    c:\windows\Mvociyemamer.bin

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_vqtu


    ((((((((((((((((((((((((( Files Created from 2010-01-25 to 2010-02-25 )))))))))))))))))))))))))))))))
    .

    2010-02-21 01:58 . 2010-02-21 01:58 552 ----a-w- c:\windows\system32\d3d8caps.dat
    2010-02-21 01:58 . 2010-02-21 02:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-02-21 01:31 . 2010-02-21 01:31 -------- d-----w- c:\program files\TrendMicro
    2010-02-15 20:40 . 2010-02-17 19:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
    2010-02-13 03:22 . 2010-02-13 01:56 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-02-13 01:56 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-02-13 01:50 . 2010-02-13 01:51 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
    2010-02-12 22:26 . 2010-02-12 22:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
    2010-02-09 18:28 . 2001-08-17 19:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
    2010-02-09 18:28 . 2001-08-17 19:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
    2010-02-09 18:28 . 2001-08-17 20:02 9600 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
    2010-02-09 18:28 . 2001-08-17 20:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-02-25 19:07 . 2008-05-19 22:25 -------- d-----w- c:\program files\QuickTime
    2010-02-25 19:07 . 2007-10-07 02:56 -------- d-----w- c:\program files\SymNetDrv
    2010-02-25 19:07 . 2007-10-07 02:12 -------- d-----w- c:\program files\Norton AntiVirus
    2010-02-25 19:07 . 2009-01-05 16:28 -------- d-----w- c:\program files\Lexmark 3100 Series
    2010-02-25 19:07 . 2007-10-07 02:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2010-02-24 22:32 . 2007-10-07 02:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
    2010-02-22 21:19 . 2008-10-17 17:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-02-21 01:31 . 2010-02-21 01:31 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
    2010-02-21 00:33 . 2004-08-03 22:59 95360 ------w- c:\windows\system32\drivers\atapi.sys
    2010-02-14 01:11 . 2007-10-07 02:03 84336 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-02-13 01:56 . 2010-02-13 01:56 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\threatwork.exe
    2010-02-13 01:56 . 2010-02-13 01:56 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lsdelete.exe
    2010-02-13 01:56 . 2010-02-13 01:56 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavamessage.dll
    2010-02-13 01:56 . 2010-02-13 01:56 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavalicense.dll
    2010-02-13 01:56 . 2010-02-13 01:56 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\aawapi.dll
    2010-02-13 01:56 . 2010-02-13 01:56 389784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\UpdateManager.dll
    2010-02-13 01:56 . 2010-02-13 01:56 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\ShellExt.dll
    2010-02-13 01:55 . 2010-02-13 01:55 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Resources.dll
    2010-02-13 01:55 . 2010-02-13 01:55 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\RPAPI.dll
    2010-02-13 01:55 . 2010-02-13 01:55 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\PrivacyClean.dll
    2010-02-13 01:55 . 2010-02-13 01:55 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\CEAPI.dll
    2010-02-13 01:55 . 2010-02-13 01:55 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AutoLaunch.exe
    2010-02-13 01:55 . 2010-02-13 01:55 816784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareCommand.exe
    2010-02-13 01:55 . 2010-02-13 01:55 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
    2010-02-13 01:55 . 2010-02-13 01:55 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
    2010-02-13 01:55 . 2010-02-13 01:55 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWTray.exe
    2010-02-13 01:55 . 2010-02-13 01:55 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWService.exe
    2010-02-12 22:31 . 2009-09-15 18:35 143976 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\uninstall.exe
    2010-02-12 22:31 . 2007-10-17 00:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Move Networks
    2010-02-12 22:31 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071701000002.dll
    2010-02-12 22:31 . 2010-02-12 22:30 1794456 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
    2010-02-12 21:54 . 2007-10-09 20:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-01-26 02:33 . 2010-01-26 02:33 1924744 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
    2010-01-20 18:14 . 2010-02-13 01:32 52224 ----a-w- c:\documents and settings\Administrator\Application Data\Flock\Browser\Profiles\ud1rn5ne.default\extensions\{a0729639-d831-46c9-811b-9b0aa79fb45a}\components\FFExternalAlert.dll
    2010-01-20 18:14 . 2010-02-13 01:32 101376 ----a-w- c:\documents and settings\Administrator\Application Data\Flock\Browser\Profiles\ud1rn5ne.default\extensions\{a0729639-d831-46c9-811b-9b0aa79fb45a}\components\RadioWMPCore.dll
    2010-01-07 22:07 . 2008-10-17 17:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-07 22:07 . 2008-10-17 17:22 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-01 02:14 . 2007-10-09 21:15 -------- d-----w- c:\program files\Microsoft Works
    2009-12-31 16:14 . 2007-10-07 03:41 352640 ----a-w- c:\windows\system32\drivers\srv.sys
    2009-12-30 02:01 . 2009-12-30 02:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\ZoomBrowser EX
    2009-12-30 01:59 . 2009-12-30 01:48 -------- d-----w- c:\program files\Canon
    2009-12-30 01:50 . 2009-12-30 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
    2009-12-30 01:45 . 2009-12-30 01:45 -------- d-----w- c:\program files\Common Files\Canon
    2009-12-29 00:06 . 2009-12-29 00:06 -------- d-----w- c:\program files\Linksys
    2009-12-29 00:05 . 2009-12-29 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks
    2009-12-29 00:05 . 2009-12-29 00:05 -------- d-----w- c:\program files\Common Files\Pure Networks Shared
    2009-12-22 05:42 . 2007-10-07 03:41 662016 ------w- c:\windows\system32\wininet.dll
    2009-12-22 05:42 . 2007-10-07 03:40 81920 ----a-w- c:\windows\system32\ieencode.dll
    2009-12-16 12:58 . 2007-10-07 01:52 343040 ----a-w- c:\windows\system32\mspaint.exe
    2009-12-14 07:35 . 2007-10-07 03:40 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2009-12-08 18:55 . 2007-10-07 03:41 2180352 ------w- c:\windows\system32\ntoskrnl.exe
    2009-12-08 18:19 . 2004-08-03 22:59 2057728 ------w- c:\windows\system32\ntkrnlpa.exe
    2009-12-07 14:10 . 2010-02-13 01:50 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
    2009-12-04 14:41 . 2007-10-07 03:41 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2010-02-24 111840]

    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    VPN Client.lnk - c:\windows\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2008-8-30 6144]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    Wireless Client Manager.lnk - c:\program files\Wireless\Client Manager\CMAGS.EXE [2007-10-6 323584]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\dplaysvr.exe"=
    "c:\\Program Files\\Hasbro Interactive\\Scrabble v2.0\\Scrabble v2.0.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\WINDOWS\\system32\\taskmgr.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8383:TCP"= 8383:TCP:TINYPROXY
    "53:TCP"= 53:TCP:TINYPROXY

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/12/2010 7:56 PM 64288]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 7:19 AM 1181328]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/8/2007 4:13 PM 24652]
    S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [12/28/2009 6:03 PM 644096]
    S3 wlags48d;Agere Wireless PCCard Service;c:\windows\system32\drivers\wlags48d.sys [10/6/2007 8:24 PM 154112]
    S4 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [10/6/2007 9:42 PM 241805]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-02-25 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:55]

    2010-02-25 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:55]

    2010-02-25 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:55]

    2010-02-25 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:55]

    2010-02-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:55]

    2010-02-11 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

    2007-10-07 c:\windows\Tasks\Symantec NetDetect.job
    - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-10-07 22:26]

    2010-02-25 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 03:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uDefault_Search_URL = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/
    mStart Page = hxxp://www.gatewaybiz.com
    mSearch Bar = hxxp://www.google.com/
    mSearchMigratedDefaultURL = hxxp://www.google.com/
    uInternet Settings,ProxyServer = http=127.0.0.1:8383
    uInternet Settings,ProxyOverride = *.local;<local>
    uSearchAssistant = hxxp://www.google.com/
    mSearchURL = hxxp://www.google.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\uiyy21ge.default\
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 8383
    FF - prefs.js: network.proxy.type - 1
    FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071503000010.dll
    FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071701000002.dll
    FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-(ccEvtMgr) - c:\program files\microsoft visual studio\bin\ir41_qcx .exe
    HKCU-Run-adobeupdater - c:\program files\common files\adobe\updater5\adobeupdater .exe
    HKLM-Run-LXBRKsk - c:\progra~1\LEXMAR~1\LXBRKsk.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2010-02-25 13:15
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2388)
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\LEXBCES.EXE
    c:\windows\system32\LEXPPS.EXE
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    c:\windows\system32\SearchIndexer.exe
    c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
    .
    **************************************************************************
    .
    Completion time: 2010-02-25 13:26:44 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-02-25 19:26
    ComboFix2.txt 2010-02-24 23:20
    ComboFix3.txt 2010-02-21 03:06
    ComboFix4.txt 2010-02-21 01:27

    Pre-Run: 31,028,432,896 bytes free
    Post-Run: 30,984,511,488 bytes free

    - - End Of File - - 9137D04CBCB85136E04085C8F9C673F8




    Logfile of Trend Micro HijackThis v2.0.3 (BETA)
    Scan saved at 1:31:07 PM, on 2/25/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\Program Files\Wireless\Client Manager\CMAGS.EXE
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Gateway Official Site: Notebooks, Laptops, Desktops, All-in-Ones, Displays, Monitors, Accessories
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Microsoft Security | Computer Security | Malicious Software
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8383
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
    O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: VPN Client.lnk = ?
    O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    O4 - Global Startup: Wireless Client Manager.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.119,93.188.166.93
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 5249 bytes
     
  14. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ===============================================================

    Re-run Malwarebytes and post its log.
     
  15. whoistony

    whoistony Techie7 New Member

    sorry for the delay; busy weekend.

    Malwarebytes' Anti-Malware 1.44
    Database version: 3777
    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    2/28/2010 12:42:08 PM
    mbam-log-2010-02-28 (12-42-08).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 180340
    Time elapsed: 48 minute(s), 13 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  16. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:


    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases

    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

    Post fresh HijackThis log as well.
     
  17. whoistony

    whoistony Techie7 New Member

    KASPERSKY ONLINE SCANNER 7.0: scan report
    Monday, March 1, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Monday, March 01, 2010 20:43:46
    Records in database: 3679174
    Scan settings
    scan using the following database extended
    Scan archives yes
    Scan e-mail databases yes
    Scan area My Computer
    C:\
    D:\
    Scan statistics
    Objects scanned 66608
    Threats found 4
    Infected objects found 7
    Suspicious objects found 0
    Scan duration 03:21:21

    File name Threat Threats count
    C:\Documents and Settings\Administrator\Incomplete\Preview-T-3545425-supermissive black hole muse.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
    C:\Documents and Settings\Administrator\Incomplete\Preview-T-3877629-Twilight Soundtrack robert pattinson -never think.mp3 Infected: Trojan-Downloader.WMA.GetCodec.n 1
    C:\Documents and Settings\Administrator\Incomplete\Preview-T-5236582-never think robert pattinson.mp3 Infected: Trojan-Downloader.WMA.GetCodec.af 1
    C:\Documents and Settings\Administrator\Incomplete\Preview-T-5933793-cats meow adam smalley scott hot new track.mp3 Infected: Trojan-Downloader.WMA.GetCodec.af 1
    C:\Documents and Settings\Administrator\Incomplete\T-3877629-Twilight Soundtrack robert pattinson -never think.mp3 Infected: Trojan-Downloader.WMA.GetCodec.n 1
    C:\Documents and Settings\Administrator\Incomplete\T-5933793-cats meow adam smalley scott hot new track.mp3 Infected: Trojan-Downloader.WMA.GetCodec.af 1
    C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000030.exe Infected: Trojan.Win32.Inject.amuu 1
    Selected area has been scanned.







    Logfile of Trend Micro HijackThis v2.0.3 (BETA)
    Scan saved at 10:40:27 PM, on 3/1/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\Program Files\Wireless\Client Manager\CMAGS.EXE
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Flock\flock\flock.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Gateway Official Site: Notebooks, Laptops, Desktops, All-in-Ones, Displays, Monitors, Accessories
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Microsoft Security | Computer Security | Malicious Software
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8383
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
    O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: VPN Client.lnk = ?
    O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    O4 - Global Startup: Wireless Client Manager.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.119,93.188.166.93
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 5296 bytes
     
  18. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Please download OTM


    • Save it to your desktop.
    • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    Code:
    :Processes
    
    :Services
    
    :Reg
    
    :Files
    C:\Documents and Settings\Administrator\Incomplete\Preview-T-3545425-supermissive black  hole muse.mp3    
    C:\Documents and Settings\Administrator\Incomplete\Preview-T-3877629-Twilight Soundtrack  robert pattinson -never think.mp3    
    C:\Documents and Settings\Administrator\Incomplete\Preview-T-5236582-never think robert  pattinson.mp3    
    C:\Documents and Settings\Administrator\Incomplete\Preview-T-5933793-cats meow adam  smalley scott hot new track.mp3     
    C:\Documents and Settings\Administrator\Incomplete\T-3877629-Twilight  Soundtrack robert pattinson -never think.mp3    
    C:\Documents and Settings\Administrator\Incomplete\T-5933793-cats meow  adam smalley scott hot new track.mp3
          
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [Reboot]
    
    • Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM and reboot your PC.


    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
     
    Last edited: Mar 3, 2010
  19. whoistony

    whoistony Techie7 New Member

    this is what she got when she tried to follow your directions... I believe she rebooted and then tried to send the log. I don't know what all the moonspeak is about haha

    All processes killed਀㴀㴀㴀㴀㴀㴀㴀㴀㴀㴀 倀刀伀䌀䔀匀匀䔀匀 㴀㴀㴀㴀㴀㴀㴀㴀㴀㴀
    ========== SERVICES/DRIVERS ==========਀㴀㴀㴀㴀㴀㴀㴀㴀㴀㴀 刀䔀䜀䤀匀吀刀夀 㴀㴀㴀㴀㴀㴀㴀㴀㴀㴀
    ========== FILES ==========਀䘀椀氀攀⼀䘀漀氀搀攀爀 䌀㨀尀䐀漀挀甀洀攀渀琀猀 愀渀搀  匀攀琀琀椀渀最猀尀䄀搀洀椀渀椀猀琀爀愀琀漀爀尀䤀渀挀漀洀瀀氀攀琀攀尀倀爀攀瘀椀攀眀ⴀ吀ⴀ㌀㔀㐀㔀㐀㈀㔀ⴀ猀甀瀀攀爀洀椀猀猀椀瘀攀 戀氀愀挀欀  栀漀氀攀 洀甀猀攀⸀洀瀀㌀ 渀漀琀 昀漀甀渀搀⸀
    File/Folder C:\Documents and Settings\Administrator\Incomplete\Preview-T-3877629-Twilight Soundtrack robert pattinson -never think.mp3 not found.਀䘀椀氀攀⼀䘀漀氀搀攀爀 䌀㨀尀䐀漀挀甀洀攀渀琀猀 愀渀搀  匀攀琀琀椀渀最猀尀䄀搀洀椀渀椀猀琀爀愀琀漀爀尀䤀渀挀漀洀瀀氀攀琀攀尀倀爀攀瘀椀攀眀ⴀ吀ⴀ㔀㈀㌀㘀㔀㠀㈀ⴀ渀攀瘀攀爀 琀栀椀渀欀 爀漀戀攀爀琀  瀀愀琀琀椀渀猀漀渀⸀洀瀀㌀ 渀漀琀 昀漀甀渀搀⸀
    File/Folder C:\Documents and Settings\Administrator\Incomplete\Preview-T-5933793-cats meow adam smalley scott hot new track.mp3 not found.਀䘀椀氀攀⼀䘀漀氀搀攀爀 䌀㨀尀䐀漀挀甀洀攀渀琀猀 愀渀搀 匀攀琀琀椀渀最猀尀䄀搀洀椀渀椀猀琀爀愀琀漀爀尀䤀渀挀漀洀瀀氀攀琀攀尀吀ⴀ㌀㠀㜀㜀㘀㈀㤀ⴀ吀眀椀氀椀最栀琀  匀漀甀渀搀琀爀愀挀欀 爀漀戀攀爀琀 瀀愀琀琀椀渀猀漀渀 ⴀ渀攀瘀攀爀 琀栀椀渀欀⸀洀瀀㌀ 渀漀琀 昀漀甀渀搀⸀
    File/Folder C:\Documents and Settings\Administrator\Incomplete\T-5933793-cats meow adam smalley scott hot new track.mp3 not found.਀㴀㴀㴀㴀㴀㴀㴀㴀㴀㴀 䌀伀䴀䴀䄀一䐀匀 㴀㴀㴀㴀㴀㴀㴀㴀㴀㴀
    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.਀䠀伀匀吀匀 昀椀氀攀 爀攀猀攀琀 猀甀挀挀攀猀猀昀甀氀氀礀
    ਀嬀䔀䴀倀吀夀吀䔀䴀倀崀
    ਀唀猀攀爀㨀 䄀搀洀椀渀椀猀琀爀愀琀漀爀
    ->Temp folder emptied: 99960654 bytes਀ⴀ㸀吀攀洀瀀漀爀愀爀礀 䤀渀琀攀爀渀攀琀 䘀椀氀攀猀 昀漀氀搀攀爀 攀洀瀀琀椀攀搀㨀 㜀㈀ 㤀㔀 戀礀琀攀猀
    ->Java cache emptied: 1060322 bytes਀ⴀ㸀䘀椀爀攀䘀漀砀 挀愀挀栀攀 攀洀瀀琀椀攀搀㨀 ㈀㘀㤀㜀㄀㔀㤀 戀礀琀攀猀
    ->Flash cache emptied: 3404 bytes਀ 
    User: All Users਀ 
    User: Default User਀ⴀ㸀吀攀洀瀀 昀漀氀搀攀爀 攀洀瀀琀椀攀搀㨀   戀礀琀攀猀
    ->Temporary Internet Files folder emptied: 0 bytes਀ 
    User: LocalService਀ⴀ㸀吀攀洀瀀 昀漀氀搀攀爀 攀洀瀀琀椀攀搀㨀 㘀㔀㤀㠀㐀 戀礀琀攀猀
    ->Temporary Internet Files folder emptied: 33170 bytes਀ 
    User: NetworkService਀ⴀ㸀吀攀洀瀀 昀漀氀搀攀爀 攀洀瀀琀椀攀搀㨀   戀礀琀攀猀
    ->Temporary Internet Files folder emptied: 33170 bytes਀ⴀ㸀䘀氀愀猀栀 挀愀挀栀攀 攀洀瀀琀椀攀搀㨀   戀礀琀攀猀
    ਀─猀礀猀琀攀洀搀爀椀瘀攀─ ⸀琀洀瀀 昀椀氀攀猀 爀攀洀漀瘀攀搀㨀   戀礀琀攀猀
    %systemroot% .tmp files removed: 0 bytes਀─猀礀猀琀攀洀爀漀漀琀─尀匀礀猀琀攀洀㌀㈀ ⸀琀洀瀀 昀椀氀攀猀 爀攀洀漀瘀攀搀㨀   戀礀琀攀猀
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes਀─猀礀猀琀攀洀爀漀漀琀─尀匀礀猀琀攀洀㌀㈀尀搀爀椀瘀攀爀猀 ⸀琀洀瀀 昀椀氀攀猀 爀攀洀漀瘀攀搀㨀   戀礀琀攀猀
    Windows Temp folder emptied: 0 bytes਀─猀礀猀琀攀洀爀漀漀琀─尀猀礀猀琀攀洀㌀㈀尀挀漀渀昀椀最尀猀礀猀琀攀洀瀀爀漀昀椀氀攀尀䰀漀挀愀氀 匀攀琀琀椀渀最猀尀吀攀洀瀀 昀漀氀搀攀爀 攀洀瀀琀椀攀搀㨀   戀礀琀攀猀
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes਀刀攀挀礀挀氀攀䈀椀渀 攀洀瀀琀椀攀搀㨀 㘀㌀㌀㘀㄀㤀㐀 戀礀琀攀猀
    ਀吀漀琀愀氀 䘀椀氀攀猀 䌀氀攀愀渀攀搀 㴀 ㄀ 㔀⸀   洀戀
    ਀ 
    OTM by OldTimer - Version 3.1.10.0 log created on 03022010_173759਀
    Files moved on Reboot...਀
    Registry entries deleted on Reboot...਀�
     
  20. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    I don't read Chinese either....LOL
    Re-do, please.