# network problem



## middling (Mar 10, 2009)

I have a small home network. My pc is wired to the modem and the router. Both other pcs can connect to the internet but mine cannot. I'm running xP pro sp2 .The Dchp file is missing from the services folder and ipconfig shows o.o.o.o. and no default gateway. Other commands tell me that my media is disconnected. Device manager tells me hardware is working properly. I have tried regcure- no help. I've tried hijackthis, no help. Ive tried netsch command. No help. Ive tried new cables-tried disconnect and reconnect several times- even tried new card. No help.Tried winsockfix- no help. Tried re-installing linksys software and it stalls telling me to plug in router when its already plugged in and working. I have no access to firewall- I get a message that an unknown problem will not allow the machine to access settings. I have Mcafee installed -tried disabling-no help. It may have come about through an installation of windows One care which would not work because of Mcafee- I deleted one care - still no good I've tried so many fixes I can't remember all that I've done. Can anyone help!!!!!!!!!


----------



## aasimenator (Dec 21, 2008)

One thing you didn't try was assigning IP manually. Check the other two systems Ip configuration by Start>Run>cmd> type"Ipconfig/all" (without quotes).
Then assign the your computer the same range of IP address, rest should remain the same on your computer


----------



## middling (Mar 10, 2009)

Thank you for your reply. I would be grateful if you could send me the instructions for manual assignation.( I'm a newbie to networking!!) If it works, I understand that if a manually assign, without the dchp file, I would need to re-assign on each new startup. Is that correct?


----------



## aasimenator (Dec 21, 2008)

No you wont have to assign Ip's evertime. once configure you never need to lookup to it unless you need to change the Ip.
Open Network Connections from Control panel there you will see your LAN Card right click on it & select properties OR you can also right click on the network icon & select properties.

in the Properties Window that opens select TCP/IP & Then select Properties Or you can also double click on TCP/IP to get its properties.
You will need to enter IP address, Subnet Mask, Default Gateway, Prefered DNS & Alternate DNS. You can get these setting from the computer that works fine.

E.g. If 1 computer's Network Configuration is like this 
IP Address: 192.168.1.1
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.1.100
Prefered DNS: 192.168.1.1
Alternate DNS: 203.7.1.3
& 2 computer's Network configuration is
IP Address: 192.168.1.3
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.1.100
Prefered DNS: 192.168.1.1
Alternate DNS: 203.7.1.3

then you will have to assign IP to the computer in the same series, Remeber to change only the IP address the rest should remain the same
IP Address: 192.168.1.3
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.1.100
Prefered DNS: 192.168.1.1
Alternate DNS: 203.7.1.3


----------



## middling (Mar 10, 2009)

This is part of the problem. Network connections is now blank as if I have nothing installed. So it is impossible to select properties. I repeat, both other pcs are working normally and device manager reports all cards working correctly. It may be a firewall problem as I can't access firewall at all and all help files have been disabled. ipconfig/all reports that the media is disconnected. Any other ideas??


----------



## aasimenator (Dec 21, 2008)

Yeah Try a different Network Card


----------



## middling (Mar 10, 2009)

I tried a new ethernet card from another computer I have. No go. I still dont understand how the other two computers get internet if the card is bad. I appreciate all your help by the way- but its so baffling.


----------



## DoubleHelix (Dec 10, 2004)

If two other computers are connecting to the Internet without a problem, you do not want to use static IP addressing on all computers or just run out and buy a new network adapter. 

This thread is in the wrong forum, so you're not getting the right responses. Click the Report link and ask that it be moved to the Networking forum.


----------



## middling (Mar 10, 2009)

thanks for the help but I tried another card from an older computer. My computer accepted the card but I still get no IP address.


----------



## dlsayremn (Feb 10, 2008)

If Network Connections is completely blank (no connection wizards), you cannot access your firewall, and help is disabled, I would suspect malware.


----------



## middling (Mar 10, 2009)

Thank you. I have run my McAfee Viruscan and Adaware software several times but it doesn't help.


----------



## rainforest123 (Dec 29, 2004)

m:
McAfee & Ad-Aware are OK, but NOT state of the art regarding malware removal and identification

Please supply the following info, exact make and models of the equipment please.

Name of your ISP (Internet Service Provider).
Make and exact model of the broadband modem.
Make and exact model and hardware version of the router (if a separate unit).
Model numbers can usually be obtained from the label on the device.
Connection type, wired or wireless.
If wireless, encryption used, (none, WEP, WPA, or WPA2)
Version and patch level of Windows on all affected machines, i.e. XP (Home or Pro), SP1-SP2-SP3, Vista (Home, Business, Ultimate), etc.
The Internet Browser in use, IE, Firefox, Opera, etc.

Please give an exact description of your problem symptoms, including the exact text of any error messages.

If you're using a wireless connection, have you tried a direct connection with a cable to see if that changes the symptoms? 
For wireless issues, have you disabled all encryption on the router to see if you can connect that way? 
Have you connected directly to the broadband modem to see if this is a router or modem/ISP issue? 
If there are other computers on the same network, are they experiencing the same issue, or do they function normally?

On any affected computer, I'd also like to see this:

Hold the Windows key and press R, then type CMD (COMMAND for W98/WME) to open a command prompt:

Type the following commands on separate lines, following each one with the Enter key:

PING 206.190.60.37

PING yahoo.com

NBTSTAT -n

IPCONFIG /ALL

Right click in the command window and choose Select All, then hit Enter.
Paste the results in a message here.

If you are on a machine with no network connection, use a floppy, USB disk, or a CD-RW

Source: JohnWill at http://forums.techguy.org/networking/809141-laptop-wont-connect-router.html

***************************************

Please post the following information connected directly to your modem.

Hold the Windows key and press R, then type CMD to open a command prompt:

In the command prompt window that opens, type type the following command:

Note that there is a space before the /ALL, but there is NOT a space after the / in the following command.

IPCONFIG /ALL

Right click in the command window and choose Select All, then hit Enter to copy the contents to the clipboard.
Paste the results in a message here.

If you are on a machine with no network connection, use a floppy, USB disk, or a CD-RW disk to transfer a text file with the

information to allow pasting it here.

Source: JohnWill at http://forums.techguy.org/networking/808586-solved-wireless-router-problem.html#post6563425

RF123


----------



## middling (Mar 10, 2009)

Thanks rainforest- this is getting complicated. I'll try to respond in order.
I have 3 computers-2 pcs and a laptop. THe problem is the host machine. Both others connect no problem though this machine displays the following messages n startup. ' connecting through wan miniport' then 'error 815- The broadband network connection could not be established because the remote server is not responding. This could be an invalid 'service name'. Please contact your isp to inquire about the correct value for this field.' This machine though is already connected and displays the connected icon on lower RH side!!! I just close both windows and there is no problem. My laptop has no problem at all connecting wirelessly!! I performed the commands you requested. Unfortunately, for some reason I can't attach them to this email so I'll type them out exactly as reeived (buggar) 
1) Pinging 206.190.60.37 with 32 bytes of data:
Destination host unreachable
" " "
" " "
" " "
Ping statistics for 206.190.60.37:
packets sent:4, Received=0, Lost=4 (100%loss).

ping yahoo.com
Ping request could not find host yahoo.com Please check name and try again

NBSTAT -n

Local area connection 2:
Node IpAddress:[0.0.0.0]Scope Id:[]

No names in cache

IPCONFIG /ALL

Windows IP Configuration

Host Name.............c
Primary Dns Suffix...........:
Node Type............:Broadcast
IP Routing enabled...........:No
WINS Proxy Enabled.........:No

Ethernet adapter Local Area connection 2:

Connection specific DNS Suffix . :
Description................: Realtek RTL8139/810x Family Fast Ethernet NIC
Physical Address............: 00-0E-A6-2D-48-F3
Dchp Enabled................: Yes
IP Address....................: 0.0.0.0.
Subnet Mask.................: 0.0.0.0.
Default Gateway............:
DHCP Server..................: 255.255.255.255

Ethernet adapter Wireless Network Connection:

Media State....................: Media disconnected
Description......................: Dual-Band Wireless A+G PCI Adapter
Physical Address...............: 00-0C-41-16-C0-6E

2) Wireless Setting is

Network name(SSID): Mervalex
Network Key ( WEP/WPA Key): xxxxxxxxxxxxxxxx
Network Authentication type: WEP
Connection Type : ESS
Key Index:

My ISP Provider is VIDEOTRON.CA
Router is Cisco-Linksys- model # WRT5492VI
The machine is wired
Running XP Pro SP3
Using Windows Internet Explorer

The main problem is the host computer cannot connect to the internet or access firewall settings or help/support. When I try to access firewall settings I get ' Due to an unidentified problem windows cannot display windows firewall setting'
Help displays " Windows cannot open help and support because a system service is not running. To fix this problem start the service Help and support." Head breaking stuff!!!!! Ive tried numerous things as outline in my other postings. Hope you can help and thank you so much.


----------



## middling (Mar 10, 2009)

I think I've attached a Hijackthis log file to this message but I'm not sure if it worked or if it will be of any help to you.


----------



## rainforest123 (Dec 29, 2004)

WHOA!!

middling: 
Please edit your thread and remove your network key. 

RF123


----------



## rainforest123 (Dec 29, 2004)

What do you mean by "host machine"?

Do your 3 computers connect either wirelessly or via ethernet to your router?

"My pc is wired to the modem and the router."
Do you mean that your computer is connected to your modem, but the other computers connect , through a router, which is connected to your modem?

See attachment. 
Is your system like 1 or 2,or other? 
Pink rectangles represent PCs.

Some modems have an ethernet port and a USB port. I have seen users try to connect multiple computers to a modem; 1 via ethernet & 1 via USB. I do not know how to do that successfully.

"THe problem is the host machine. Both others connect no problem though this machine displays the following messages n startup."

Does "the host machine" connect using wi fi or ethernet?

Does "other PC 1" connect using wi fi or ethernet?

Does "other PC 2" connect using wi fi or ethernet?

When did the problem begin? When did things last work well? What changed? Installation or removal of hardware / software, to include updates to Windows, your antivirus, other program updates? Did you run a reg cleaner? I am NOT suggesting a reg cleaner.

DHCP server of 255.255.255.255 is not correct.

Go to the control panel.
In upper left, make sure it says "switch to category view", which means you are in the classic view.
Open "network connections"
RIGHT click your LAN. 
Left click "properties".

What is in "this connection uses the following items"? 
If internet protocol [ tcp / ip ] is present, left click. 
Then, left click "properties"
Is it set to obtain automatically? 
Left click the "advanced" button. 
What's in "ip addresses" & "default gateway"?

Feel free to create screen shots & attach them.

Send a screen shot.

On your keyboard, look for a key labeled "print screen" OR "PrtSc" OR "PRN SCN" or some variation.
When you want to capture that which is displayed, press the print screen button.
Open Paint [ start > programs / all programs > accessories > paint [ rarely MS Paint]
Maximize Paint
left click "edit"
Left click "paste"
file > save as.
Save the file to any location of your choice.
File name: your choice, for example: "filename"
save as type: left click down pointing arrow. Left click jpg / jpeg
Left click "save" / "ok".

The file name has now been saved as filename.jpg [ or filename.jpeg ].

Return to the thread.
Left click "go advanced".

Left click "manage attachments"
left click "browse"
browse to the location, on your computer, where you saved "filename.jpg"
Left click filename.jpg
left click "open"
left click Upload"
close window of upload screen after the file has been uploaded.

enter text into the reply area.
left click "submit"

RF123


----------



## Cookiegal (Aug 27, 2003)

Pasting the HijackThis log for easier viewing.

Logfile of HijackThis v1.99.1
Scan saved at 1:55:25 PM, on 17/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Administrator\Desktop\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Ygucerutewotevig] rundll32.exe "C:\WINDOWS\epulukac.dll",e
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223302063890
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - 
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp3.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: qghmiyo - qghmiyo.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe" -s "C:\Program Files\Linksys\Linksys Updater\conf\wrapper.conf (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe


----------



## Cookiegal (Aug 27, 2003)

There is infection present so it's possible the issue may resolve once we clean up the malware.

Have you tried doing a system restore to a date just before this happened?


----------



## middling (Mar 10, 2009)

Yes many times. It says system restore unable to protect your computer. Please restart and run system restore again. Same message on restart!


----------



## rainforest123 (Dec 29, 2004)

m: 
Please answer my questions in #16 of this thread. 

I am going to follow the thread, but CookieGal is 1 of TGF's resident malware removal experts. I will wait until she has finished before I post again. 

CG: 
Thanks for your prompt response. 
2 thumbs / dew claws up!
:up: :up:

RF123


----------



## middling (Mar 10, 2009)

the "host machine" is the problem machine. It is connected to the videotron modem and to the router. THis machine is connected only to the router and works fine. The other machine is a laptop and connects wirelessly no problem. So host machine is connected to modem. Both pcs ( not the laptop)are connected by ethernet ports.
I can't remember a particular operation that may have startwed the problem but it started as multiple windows on startup saying stuff like "................dll is not a valid windows image. Check windows diskette." I would close each window until it finished - at this stage I still had internet on the machine. I have Mcaffee and ran it to remove viruses but it still kept happening. In desperation I installed windows one care to try to solve the problem but I couldn't operate it with Mcafee onm the machine so I deleted. I think it was about then that the internet disappeared.
I have run a reg cleaner , Reg cure , but this changed nothing.
No matter what "view I am in in control panel, Network connections opens with a blank white wall. There are no LAN icons- nothing!!! So obviously I can't check ip etc. Screen shots will not show you anything but a blank screen. System restore has been disabled somehow along with help, troubleshoot etc.


----------



## middling (Mar 10, 2009)

Just saw your newest post. I answered the #16 questions in my last post. Thanks again for all you're trying to do. Really appreciate your help and interest.


----------



## Cookiegal (Aug 27, 2003)

Go to *Start *- *Run *- type in *cmd *and click OK.

At the command prompt type in:

*netsh winsock reset catalog*

Press enter.

then type in:

*netsh int ip reset resetlog.txt*

Press enter.

You will need to reboot afterwards.

Then see if you can connect.

If not, then ou may need to do a hard rest of the router.

You can do this by inserting the tip of a pencil into a small hole labelled "reset" located on the back of the router. With the power on, press there and hold it down until the lights on the front of the router blink off and on again. You might want to check with your ISP in case there are custom settings that need to be maintained.


----------



## middling (Mar 10, 2009)

Sorry it took so long to reply, I tried the hardrest of the router and lost internet on the other 2 pcs! Don't know how but I got it back now. 
Anyhow, Ihad already tried the netsh thing but I tried it again with the same results. On the first command I got back
"warning, could not obtain host info from machine{pc} Some commands may not be available. The specified service does not exist as an installed service. Successfully reset winsock catalogue."
The next command gave the same reply except nothing said "successfully" etc. Obviously the hard reset of the router did not work. I also did a hard reset of the modem which may be resposible for restoring the net. Thanks for your speedy replies.


----------



## Jason08 (Oct 13, 2008)

From JohnWill

IP addresses of all zeros are normally caused by one of the following.

*Diagnosis:*


DHCP Service not running.
Duplicate IP address on the network.
*Bad* *NIC* card drivers.
Defective *NIC* hardware.
*Resolution:*


Check Control Panel, Administrative Tools, Services. The DHCP Client service should be Started and its Startup Type should be Automatic.
Turn off ALL of the computers and other network connected devices, restart (power cycle) the router, then restart all the computers and other network devices.
Check for upgraded drivers and/or reload the Network drivers.
Replace the Network Interface Card


----------



## middling (Mar 10, 2009)

Hi Jason Thanks for the input but I have no DHCP file in services so it cant be started. I beleive this is the main problem. I've tried anotherNIC from another computer- No go. Tried re-installing the router software but it hangs on "connect router to electrical supply" when its already connected top a good supply. The router is working fine cos as we speak I'm on one of the network computers which is working fine. Whatever has disabled my machine has also blocked my access to windows firewall settings and windows help. Cant be a duplicate IP address because the problem computer cannot generate an ip address. Big mystery.


----------



## Cookiegal (Aug 27, 2003)

You can download this program to a CD, install it on the desktop of the infected machine and run the scan. You won't be able to install the recovery console so please just bypass that part.

Please visit *Combofix Guide & Instructions * for instructions for downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read  *HERE * for an article written by dvk01 on why we disable autoruns.

*Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.*


----------



## middling (Mar 10, 2009)

Hi CG I'm from Quebec too but I think we'll continue in English for the time being. You will find the requested files attached - hope they help.


----------



## rainforest123 (Dec 29, 2004)

middling: 
Until Cookiegal has finished, I suggest that you pay attention only her advice.

No offense is intended to Jason08, or anyone else who responds to this thread. 


Try to post the logs in the text, instead of as attachments. Using the attachment method adds a step that can be avoided.

I have done it for you, this time.

Thanks, m. 
Au revoir.

RF123

Logfile of HijackThis v1.99.1
Scan saved at 11:15:46 PM, on 18/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Administrator\Desktop\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Ygucerutewotevig] rundll32.exe "C:\WINDOWS\epulukac.dll",e
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223302063890
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - 
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp3.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe" -s "C:\Program Files\Linksys\Linksys Updater\conf\wrapper.conf (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe


----------



## rainforest123 (Dec 29, 2004)

ComboFix 09-03-18.01 - Administrator 2009-03-18 22:57:46.1 - NTFSx86
Running from: D:\combo-fix.exe
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\QUAD Utilities
c:\windows\system32\rnplf14.dll
c:\windows\system32\TDSSmtve.dat
c:\windows\system32\TDSSpqlt.dat
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsihc.log
c:\windows\system32\TDSStkdv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TCPSR
-------\Legacy_TDSSSERV.SYS
-------\Service_tcpsr
-------\Service_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2009-02-19 to 2009-03-19 )))))))))))))))))))))))))))))))
.

2009-03-10 11:55 . 2009-03-10 11:55 d--------	c:\documents and settings\Administrator\Application Data\ParetoLogic
2009-03-10 11:54 . 2009-03-10 11:54 d--------	c:\program files\ParetoLogic
2009-03-10 11:54 . 2009-03-10 11:54 d--------	c:\program files\Common Files\ParetoLogic
2009-03-10 11:54 . 2009-03-10 11:54 d--------	c:\documents and settings\All Users\Application Data\ParetoLogic
2009-03-10 11:54 . 2009-03-10 11:54 d--------	c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-03-09 18:17 . 2009-03-10 23:30 d--------	c:\program files\RegCure
2009-03-08 22:58 . 2009-03-08 23:07	1,905	--a------	c:\windows\diagwrn.xml
2009-03-08 22:58 . 2009-03-08 23:07	1,905	--a------	c:\windows\diagerr.xml
2009-03-08 22:57 . 2009-03-08 22:57 d--------	c:\program files\Microsoft Windows OneCare Live
2009-03-08 21:41 . 2009-03-08 21:41 d--------	C:\oldregistry
2009-03-05 15:07 . 2001-08-17 13:12	117,760	--a------	c:\windows\system32\drivers\e100b325.sys
2009-02-19 21:39 . 2009-03-18 22:55	664	--a------	c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-18 05:17	---------	d-----w	c:\program files\LimeWire
2009-03-18 05:15	---------	d-----w	c:\documents and settings\Administrator\Application Data\LimeWire
2009-02-18 05:46	---------	d-----w	c:\program files\Hewlett-Packard
2009-02-18 05:45	---------	d-----w	c:\program files\Click And Fix Trial
2009-02-18 05:43	---------	d--h--w	c:\program files\InstallShield Installation Information
2009-02-18 05:43	---------	d-----w	c:\program files\Common Files\ArcSoft
2009-02-18 05:43	---------	d-----w	c:\program files\ArcSoft
2009-02-18 05:08	32,768	----a-w	c:\windows\system32\drivers\ati2fwxx.sys
2009-01-28 16:38	41,984	----a-w	c:\windows\Rhipalega.dll
2009-01-26 14:14	132,096	----a-w	c:\windows\epulukac.dll
2009-01-22 03:36	---------	d-----w	c:\documents and settings\Administrator\Application Data\ArcSoft
2009-01-22 02:27	---------	d-----w	c:\documents and settings\Administrator\Application Data\Canneverbe_Limited
2009-01-22 00:49	---------	d-----w	c:\program files\YourWare Solutions
2009-01-22 00:15	64,160	----a-w	c:\windows\system32\drivers\Lbd.sys
2009-01-22 00:15	---------	d-----w	c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-22 00:14	---------	dc-h--w	c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-22 00:13	---------	d-----w	c:\program files\Lavasoft
2009-01-19 03:58	---------	d-----w	c:\program files\Common Files\Ahead
2009-01-19 03:51	---------	d-----w	c:\program files\Windows Live
.

------- Sigcheck -------

2003-03-31 10:00 12800 0f7d9c87b0ce1fa520473119752c6f79	c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-14 05:42 14336 27c6d03bcdb8cfeb96b716f3d8be3e18	c:\windows\ServicePackFiles\i386\svchost.exe
2009-02-16 22:59 14336 27c6d03bcdb8cfeb96b716f3d8be3e18	c:\windows\system32\svchost.exe
2009-02-16 22:59 14336 27c6d03bcdb8cfeb96b716f3d8be3e18	c:\windows\system32\dllcache\svchost.exe

2003-03-31 10:00 560128 dd9269230c21ee8fb7fd3fccc3b1cfcb	c:\windows\$NtServicePackUninstall$\user32.dll
2008-04-14 05:42 578560 b26b135ff1b9f60c9388b4a7d16f600b	c:\windows\ServicePackFiles\i386\user32.dll
2008-04-14 05:42 578560 b26b135ff1b9f60c9388b4a7d16f600b	c:\windows\system32\user32.dll

2003-03-31 10:00 75264 8529c295df59b564d37a73b5629162b1	c:\windows\$NtServicePackUninstall$\ws2_32.dll
2008-04-14 05:42 82432 2ccc474eb85ceaa3e1fa1726580a3e5a	c:\windows\ServicePackFiles\i386\ws2_32.dll
2008-04-14 05:42 82432 2ccc474eb85ceaa3e1fa1726580a3e5a	c:\windows\system32\ws2_32.dll

2008-06-23 12:01 827904 c66402a06b83b036c195242c0c8cf83c	c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
2008-08-26 05:08 827904 77c192fe56a70d7fa0247ba0a6201c32	c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
2008-10-16 16:24 827904 0d5b75171ff51775b630a431b6c667e8	c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
2008-12-20 19:56 827904 044e0a4e9fe97c0fb9afe9c89e2a82e6	c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
2003-03-31 10:00 599040 f3587750a7481dccbea13d473a0700be	c:\windows\$NtServicePackUninstall$\wininet.dll
2008-04-14 05:42 666112 7a4f775abb2f1c97def3e73afa2faedd	c:\windows\ie7\wininet.dll
2007-08-13 18:54 818688 a4a0fc92358f39538a6494c42ef99fe9	c:\windows\ie7updates\KB953838-IE7\wininet.dll
2008-06-23 12:57 826368 8c13d4a7479fa0a026eda8abce82c0ed	c:\windows\ie7updates\KB956390-IE7\wininet.dll
2008-08-26 03:24 826368 ef8eba98145bfa44e80d17a3b3453300	c:\windows\ie7updates\KB958215-IE7\wininet.dll
2008-04-14 05:42 666112 7a4f775abb2f1c97def3e73afa2faedd	c:\windows\ServicePackFiles\i386\wininet.dll
2008-06-23 12:57 826368 8c13d4a7479fa0a026eda8abce82c0ed	c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2GDR\wininet.dll
2008-06-23 12:01 827904 c66402a06b83b036c195242c0c8cf83c	c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2QFE\wininet.dll
2008-06-23 11:09 666112 f12fbb673de9cc802c5dc518fe99aa2f	c:\windows\SoftwareDistribution\Download\1c0a4d9681e4b56278490848f7545aa5\sp3gdr\wininet.dll
2008-06-23 10:54 666624 972299b7241ec325d8c7e5638c884925	c:\windows\SoftwareDistribution\Download\1c0a4d9681e4b56278490848f7545aa5\sp3qfe\wininet.dll
2008-12-20 19:15 826368 a82935d32d0672e8ff4e91ae398e901c	c:\windows\system32\wininet.dll
2008-12-20 19:15 826368 a82935d32d0672e8ff4e91ae398e901c	c:\windows\system32\dllcache\wininet.dll

2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e	c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2003-03-31 10:00 332928 244a2f9816bc9b593957281ef577d976	c:\windows\$NtServicePackUninstall$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733	c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733	c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d	c:\windows\system32\dllcache\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d	c:\windows\system32\drivers\tcpip.sys

2003-03-31 10:00 516608 2246d8d8f4714a2cedb21ab9b1849abb	c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-14 05:42 507904 ed0ef0a136dec83df69f04118870003e	c:\windows\ServicePackFiles\i386\winlogon.exe
2008-04-14 05:42 507904 ed0ef0a136dec83df69f04118870003e	c:\windows\system32\winlogon.exe

2003-03-31 10:00 167552 3b350e5a2a5e951453f3993275a4523a	c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-14 00:50 182656 1df7f42665c94b825322fae71721130d	c:\windows\ServicePackFiles\i386\ndis.sys
2008-04-14 00:50 182656 1df7f42665c94b825322fae71721130d	c:\windows\system32\drivers\ndis.sys

2008-04-14 00:23 36608 3bb22519a194418d5fec05d800a19ad0	c:\windows\ServicePackFiles\i386\ip6fw.sys
2008-04-14 00:23 36608 3bb22519a194418d5fec05d800a19ad0	c:\windows\system32\drivers\ip6fw.sys

2008-08-14 16:39 2066048 a25e9b86effb2af33bf51e676b68bfb0	c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
2003-03-31 10:00 1920512 71ff7ec0eeea4896dd219c661c90db29	c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
2008-11-21 09:42 2023936 7f653a89f6e89e3ae0d49830eece35d4	c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
2008-08-14 05:33 2066048 4ac58f03eb94a72809949d757fc39d80	c:\windows\Driver Cache\i386\ntkrnlpa.exe
2008-04-14 00:01 2065792 109f8e3e3c82e337bb71b6bc9b895d61	c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
2008-08-14 05:33 2023936 8206b5f94a6a9450e934029420c1693f	c:\windows\system32\ntkrnlpa.exe
2008-08-14 05:33 2066048 4ac58f03eb94a72809949d757fc39d80	c:\windows\system32\dllcache\ntkrnlpa.exe

2008-08-14 17:11 2189184 31914172342bff330063f343ac6958fe	c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
2003-03-31 10:00 1891840 25a90eb7d1eee12ab198dc9421bfa353	c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
2008-11-21 09:42 2145280 40f8880122a030a7e9e1fedea833b33d	c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
2008-08-14 06:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5	c:\windows\Driver Cache\i386\ntoskrnl.exe
2008-04-14 00:57 2188928 0c89243c7c3ee199b96fcc16990e0679	c:\windows\ServicePackFiles\i386\ntoskrnl.exe
2008-08-14 06:09 2145280 f6f8245b3a2e9ca834dd318e7ae0c6d0	c:\windows\system32\ntoskrnl.exe
2008-08-14 06:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5	c:\windows\system32\dllcache\ntoskrnl.exe

2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923	c:\windows\explorer.exe
2003-03-31 10:00 1004032 a82b28bfc2e4455fe43022a498c0ef0a	c:\windows\$NtServicePackUninstall$\explorer.exe
2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923	c:\windows\ServicePackFiles\i386\explorer.exe

2003-03-31 10:00 101376 e3df4a0252d287c44606ee55355e1623	c:\windows\$NtServicePackUninstall$\services.exe
2008-04-14 05:42 108544 0e776ed5f7cc9f94299e70461b7b8185	c:\windows\ServicePackFiles\i386\services.exe
2008-04-14 05:42 108544 0e776ed5f7cc9f94299e70461b7b8185	c:\windows\system32\services.exe

2003-03-31 10:00 11776 b2b6ba905d0e3f8a32a0eb3b4051807b	c:\windows\$NtServicePackUninstall$\lsass.exe
2008-04-14 05:42 13312 bf2466b3e18e970d8a976fb95fc1ca85	c:\windows\ServicePackFiles\i386\lsass.exe
2008-04-14 05:42 13312 bf2466b3e18e970d8a976fb95fc1ca85	c:\windows\system32\lsass.exe

2003-03-31 10:00 13312 414de7cf9d3f19c3ea902f1bb38ec116	c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 05:42 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3	c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-14 05:42 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3	c:\windows\system32\ctfmon.exe

2003-03-31 10:00 51200 9b4155ba58192d4073082b8fc5d42612	c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-14 05:42 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b	c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-14 05:42 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b	c:\windows\system32\spoolsv.exe

2003-03-31 10:00 22016 e931e0a2b8bf0019db902e98d03662cb	c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 05:42 26112 a93aee1928a9d7ce3e16d24ec7380f89	c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-14 05:42 26112 a93aee1928a9d7ce3e16d24ec7380f89	c:\windows\system32\userinit.exe

2003-03-31 10:00 200192 fe84e045a09a4abc4deef7270448b64e	c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-14 05:42 295424 ff3477c03be7201c294c35f684b3479f	c:\windows\ServicePackFiles\i386\termsrv.dll
2008-04-14 05:42 295424 ff3477c03be7201c294c35f684b3479f	c:\windows\system32\termsrv.dll

2003-03-31 10:00 930304 8f162dc91d67d87c1a481bf602a9dac8	c:\windows\$NtServicePackUninstall$\kernel32.dll
2008-04-14 05:41 989696 c24b983d211c34da8fcc1ac38477971d	c:\windows\ServicePackFiles\i386\kernel32.dll
2008-04-14 05:41 989696 c24b983d211c34da8fcc1ac38477971d	c:\windows\system32\kernel32.dll

2003-03-31 10:00 14848 865ad7ccb20856727d5bd994b094dc5e	c:\windows\$NtServicePackUninstall$\powrprof.dll
2008-04-14 05:42 17408 50a166237a0fa771261275a405646cc0	c:\windows\ServicePackFiles\i386\powrprof.dll
2008-04-14 05:42 17408 50a166237a0fa771261275a405646cc0	c:\windows\system32\powrprof.dll

2003-03-31 10:00 103936 c9f9e3e6b59c6d6cbce7f14494a4518a	c:\windows\$NtServicePackUninstall$\imm32.dll
2008-04-14 05:41 110080 0da85218e92526972a821587e6a8bf8f	c:\windows\ServicePackFiles\i386\imm32.dll
2008-04-14 05:41 110080 0da85218e92526972a821587e6a8bf8f	c:\windows\system32\imm32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-28 136600]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-29 112216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 648504]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" [2008-05-01 131072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-21 507224]
"Ygucerutewotevig"="c:\windows\epulukac.dll" [2009-01-26 132096]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Btasihevurijan]
--a------ 2009-01-28 12:38 41984 c:\windows\Rhipalega.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
--a------ 2009-01-21 20:48 1591808 c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 ati2fwxx;ati2fwxx;c:\windows\System32\Drivers\ati2fwxx.sys [2009-02-18 32768]
R3 ati8yoxx;ati8yoxx; [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-01-21 64160]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-21 942416]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-04-18 204800]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HELPSVC
*Deregistered* - AFD
*Deregistered* - Apple Mobile Device
*Deregistered* - Arp1394
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Bonjour Service
*Deregistered* - Cdfs
*Deregistered* - DcomLaunch
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - Fastfat
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - ImapiService
*Deregistered* - IpFilterDriver
*Deregistered* - IpNat
*Deregistered* - iPod Service
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - Kbdclass
*Deregistered* - KSecDD
*Deregistered* - Lavasoft Ad-Aware Service
*Deregistered* - Lbd
*Deregistered* - LightScribeService
*Deregistered* - LinksysUpdater
*Deregistered* - McAfeeFramework
*Deregistered* - McShield
*Deregistered* - McTaskManager
*Deregistered* - mfeapfk
*Deregistered* - mfeavfk
*Deregistered* - mfebopk
*Deregistered* - mfehidk
*Deregistered* - mferkdk
*Deregistered* - mfetdik
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PCIIde
*Deregistered* - pnarp
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - purendis
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Udfs
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - Wanarp
*Deregistered* - WSearch
.
Contents of the 'Scheduled Tasks' folder

2009-02-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-21 20:14]

2008-12-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-02-25 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

2009-02-22 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.9.30.1.sxt [email protected] []

2009-03-10 c:\windows\Tasks\ParetoLogic Privacy Controls_{CC9FF4C6-0D8B-11DE-ABCE-000EA62D48F3}.job
- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 11:29]

2009-03-10 c:\windows\Tasks\ParetoLogic Privacy Controls_{CFB05A70-0D8B-11DE-ABCE-000EA62D48F3}.job
- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 11:29]

2009-03-10 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 12:25]

2009-03-09 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 13:58]

2009-03-09 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 13:58]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-ati2fwxx.sys
SafeBoot-ati8yoxx.sys

.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-18 23:01:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\windows\system32\java.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\searchindexer.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-18 23:08:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-19 03:07:57

Pre-Run: 60,608,212,992 bytes free
Post-Run: 60,642,430,976 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
339	--- E O F ---	2009-03-02 14:44:36


----------



## rainforest123 (Dec 29, 2004)

Download HJT from this site.
http://thespykiller.co.uk/index.php?action=tpmod;dl=item10

You are running HJT 1.99
The latest is 2.x.x 


RF23


----------



## pcdebol (Mar 2, 2009)

I'm sorry but I have been reading this thread and was wondering if I read correctly the computer in question is plugged into both the modem and the router. Some further explanation of this setup may greatly help. It is unusual to say the least if this is a home network. But do get the infection cleaned first, I think, I'm very confused trying to follow this thread.


----------



## middling (Mar 10, 2009)

Will heed your advice. Thanks again for your concern.


----------



## pcdebol (Mar 2, 2009)

Here is a web page that may help with your DHCP services. I'm not on an XP machine or I could paste what the entire reg entry should look like but it may help. But do get that malware cleaned first before looking into this.

http://windowsxp.mvps.org/dhcp.htm


----------



## Cookiegal (Aug 27, 2003)

Sorry, I haven't forgotten you but will only be able to get to your log tomorrow. I'll post back with further instructions.


----------



## middling (Mar 10, 2009)

Thanks you've been great!!


----------



## middling (Mar 10, 2009)

Hi cookiegirl, haven't heard from you for a few days. Any news?


----------



## Cookiegal (Aug 27, 2003)

I'm sorry. I must have deleted the reply notification by mistake so I forgot about your thread. I'm signing off soon but I promised I'll get to you sometime tomorrow.

In the meantime though, you can run this program:

Please download Malwarebytes Anti-Malware form *Here* or *Here*

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply along with a new HijackThis log please.

Extra Note:
*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. 
Also, if you receive an (Error Loading) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it returns on future reboots. *


----------



## middling (Mar 10, 2009)

Hi there, Couldn't downlowd from the links you sent- one said file not found and the other led me to a pc tools download site. I ended up getting it from mbam's own site. Here's the logs you requested

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3
23/03/2009 10:55:19 PM
mbam-log-2009-03-23 (22-55-19).txt
Scan type: Full Scan (C:\|)
Objects scanned: 111728
Time elapsed: 29 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\TDSSlxwp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Prefetch\SVCHOST.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSScfum.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSoiqt.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

Logfile of HijackThis v1.99.1
Scan saved at 11:08:36 PM, on 23/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Administrator\Desktop\hijack this\HijackThis.exe
C:\WINDOWS\system32\imapi.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Ygucerutewotevig] rundll32.exe "C:\WINDOWS\epulukac.dll",e
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223302063890
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - 
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp3.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe" -s "C:\Program Files\Linksys\Linksys Updater\conf\wrapper.conf (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

Thank you and good luck!!


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the code box below into it:


```
File::
c:\windows\Rhipalega.dll
c:\windows\epulukac.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ygucerutewotevig"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Btasihevurijan]
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## middling (Mar 10, 2009)

Hi there, I must tell you that when this problem first started, I would get multiple error messages on startup saying that a whole bunch of different files were not valid windows files. I ran anti virus programs and managed to get rid of all the messagesexcept the one concerning the Rhipalega file. It would keep returning on startup so I disabled it . When I saw that was the same file now , I re-enabled it and of course, on boot, the message reappeared. I then did what you asked and here are the scans. I hope I haven't made your task any more difficult. That was the only tweaking I tried by myself.

ComboFix 09-03-18.01 - Administrator 2009-03-24 23:25:35.3 - NTFSx86
Running from: c:\documents and settings\Administrator\Desktop\combo-fix.exe
Command switches used :: D:\CFscript.txt.txt
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
c:\windows\epulukac.dll
c:\windows\Rhipalega.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\epulukac.dll
c:\windows\Rhipalega.dll
.
((((((((((((((((((((((((( Files Created from 2009-02-25 to 2009-03-25 )))))))))))))))))))))))))))))))
.
2009-03-23 22:17 . 2009-03-23 22:17 d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-23 22:17 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-23 22:16 . 2009-03-23 22:17 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-23 22:16 . 2009-03-23 22:16 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-23 22:16 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-10 11:55 . 2009-03-10 11:55 d-------- c:\documents and settings\Administrator\Application Data\ParetoLogic
2009-03-10 11:54 . 2009-03-10 11:54 d-------- c:\program files\ParetoLogic
2009-03-10 11:54 . 2009-03-10 11:54 d-------- c:\program files\Common Files\ParetoLogic
2009-03-10 11:54 . 2009-03-10 11:54 d-------- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-03-10 11:54 . 2009-03-10 11:54 d-------- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-03-09 18:17 . 2009-03-10 23:30 d-------- c:\program files\RegCure
2009-03-08 22:58 . 2009-03-08 23:07 1,905 --a------ c:\windows\diagwrn.xml
2009-03-08 22:58 . 2009-03-08 23:07 1,905 --a------ c:\windows\diagerr.xml
2009-03-08 22:57 . 2009-03-08 22:57 d-------- c:\program files\Microsoft Windows OneCare Live
2009-03-08 21:41 . 2009-03-08 21:41 d-------- C:\oldregistry
2009-03-05 15:07 . 2001-08-17 13:12 117,760 --a------ c:\windows\system32\drivers\e100b325.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-18 05:17 --------- d-----w c:\program files\LimeWire
2009-03-18 05:15 --------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2009-02-18 05:46 --------- d-----w c:\program files\Hewlett-Packard
2009-02-18 05:45 --------- d-----w c:\program files\Click And Fix Trial
2009-02-18 05:43 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-18 05:43 --------- d-----w c:\program files\Common Files\ArcSoft
2009-02-18 05:43 --------- d-----w c:\program files\ArcSoft
2009-02-18 05:08 32,768 ----a-w c:\windows\system32\drivers\ati2fwxx.sys
2009-02-17 02:59 14,336 ----a-w c:\windows\system32\svchost.exe
2009-01-22 00:15 15,688 ----a-w c:\windows\system32\lsdelete.exe
2008-12-29 00:15 410,984 ----a-w c:\windows\system32\deploytk.dll
.
------- Sigcheck -------
2003-03-31 10:00 12800 0f7d9c87b0ce1fa520473119752c6f79 c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-14 05:42 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\ServicePackFiles\i386\svchost.exe
2009-02-16 22:59 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\system32\svchost.exe
2009-02-16 22:59 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\system32\dllcache\svchost.exe
2003-03-31 10:00 560128 dd9269230c21ee8fb7fd3fccc3b1cfcb c:\windows\$NtServicePackUninstall$\user32.dll
2008-04-14 05:42 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\ServicePackFiles\i386\user32.dll
2008-04-14 05:42 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\system32\user32.dll
2003-03-31 10:00 75264 8529c295df59b564d37a73b5629162b1 c:\windows\$NtServicePackUninstall$\ws2_32.dll
2008-04-14 05:42 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\ServicePackFiles\i386\ws2_32.dll
2008-04-14 05:42 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\system32\ws2_32.dll
2008-06-23 12:01 827904 c66402a06b83b036c195242c0c8cf83c c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
2008-08-26 05:08 827904 77c192fe56a70d7fa0247ba0a6201c32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
2008-10-16 16:24 827904 0d5b75171ff51775b630a431b6c667e8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
2008-12-20 19:56 827904 044e0a4e9fe97c0fb9afe9c89e2a82e6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
2003-03-31 10:00 599040 f3587750a7481dccbea13d473a0700be c:\windows\$NtServicePackUninstall$\wininet.dll
2008-04-14 05:42 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\ie7\wininet.dll
2007-08-13 18:54 818688 a4a0fc92358f39538a6494c42ef99fe9 c:\windows\ie7updates\KB953838-IE7\wininet.dll
2008-06-23 12:57 826368 8c13d4a7479fa0a026eda8abce82c0ed c:\windows\ie7updates\KB956390-IE7\wininet.dll
2008-08-26 03:24 826368 ef8eba98145bfa44e80d17a3b3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
2008-04-14 05:42 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\ServicePackFiles\i386\wininet.dll
2008-06-23 12:57 826368 8c13d4a7479fa0a026eda8abce82c0ed c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2GDR\wininet.dll
2008-06-23 12:01 827904 c66402a06b83b036c195242c0c8cf83c c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2QFE\wininet.dll
2008-06-23 11:09 666112 f12fbb673de9cc802c5dc518fe99aa2f c:\windows\SoftwareDistribution\Download\1c0a4d9681e4b56278490848f7545aa5\sp3gdr\wininet.dll
2008-06-23 10:54 666624 972299b7241ec325d8c7e5638c884925 c:\windows\SoftwareDistribution\Download\1c0a4d9681e4b56278490848f7545aa5\sp3qfe\wininet.dll
2008-12-20 19:15 826368 a82935d32d0672e8ff4e91ae398e901c c:\windows\system32\wininet.dll
2008-12-20 19:15 826368 a82935d32d0672e8ff4e91ae398e901c c:\windows\system32\dllcache\wininet.dll
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2003-03-31 10:00 332928 244a2f9816bc9b593957281ef577d976 c:\windows\$NtServicePackUninstall$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\dllcache\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\drivers\tcpip.sys
2003-03-31 10:00 516608 2246d8d8f4714a2cedb21ab9b1849abb c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-14 05:42 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe
2008-04-14 05:42 507904 ed0ef0a136dec83df69f04118870003e c:\windows\system32\winlogon.exe
2003-03-31 10:00 167552 3b350e5a2a5e951453f3993275a4523a c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-14 00:50 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2008-04-14 00:50 182656 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys
2008-04-14 00:23 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\ServicePackFiles\i386\ip6fw.sys
2008-04-14 00:23 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\drivers\ip6fw.sys
2008-08-14 16:39 2066048 a25e9b86effb2af33bf51e676b68bfb0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
2003-03-31 10:00 1920512 71ff7ec0eeea4896dd219c661c90db29 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
2008-11-21 09:42 2023936 7f653a89f6e89e3ae0d49830eece35d4 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
2008-08-14 05:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\Driver Cache\i386\ntkrnlpa.exe
2008-04-14 00:01 2065792 109f8e3e3c82e337bb71b6bc9b895d61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
2008-08-14 05:33 2023936 8206b5f94a6a9450e934029420c1693f c:\windows\system32\ntkrnlpa.exe
2008-08-14 05:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\system32\dllcache\ntkrnlpa.exe
2008-08-14 17:11 2189184 31914172342bff330063f343ac6958fe c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
2003-03-31 10:00 1891840 25a90eb7d1eee12ab198dc9421bfa353 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
2008-11-21 09:42 2145280 40f8880122a030a7e9e1fedea833b33d c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
2008-08-14 06:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\Driver Cache\i386\ntoskrnl.exe
2008-04-14 00:57 2188928 0c89243c7c3ee199b96fcc16990e0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
2008-08-14 06:09 2145280 f6f8245b3a2e9ca834dd318e7ae0c6d0 c:\windows\system32\ntoskrnl.exe
2008-08-14 06:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\system32\dllcache\ntoskrnl.exe
2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\explorer.exe
2003-03-31 10:00 1004032 a82b28bfc2e4455fe43022a498c0ef0a c:\windows\$NtServicePackUninstall$\explorer.exe
2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\ServicePackFiles\i386\explorer.exe
2003-03-31 10:00 101376 e3df4a0252d287c44606ee55355e1623 c:\windows\$NtServicePackUninstall$\services.exe
2008-04-14 05:42 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\ServicePackFiles\i386\services.exe
2008-04-14 05:42 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\system32\services.exe
2003-03-31 10:00 11776 b2b6ba905d0e3f8a32a0eb3b4051807b c:\windows\$NtServicePackUninstall$\lsass.exe
2008-04-14 05:42 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\ServicePackFiles\i386\lsass.exe
2008-04-14 05:42 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\system32\lsass.exe
2003-03-31 10:00 13312 414de7cf9d3f19c3ea902f1bb38ec116 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 05:42 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-14 05:42 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\system32\ctfmon.exe
2003-03-31 10:00 51200 9b4155ba58192d4073082b8fc5d42612 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-14 05:42 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-14 05:42 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\system32\spoolsv.exe
2003-03-31 10:00 22016 e931e0a2b8bf0019db902e98d03662cb c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 05:42 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-14 05:42 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\system32\userinit.exe
2003-03-31 10:00 200192 fe84e045a09a4abc4deef7270448b64e c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-14 05:42 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-04-14 05:42 295424 ff3477c03be7201c294c35f684b3479f c:\windows\system32\termsrv.dll
2003-03-31 10:00 930304 8f162dc91d67d87c1a481bf602a9dac8 c:\windows\$NtServicePackUninstall$\kernel32.dll
2008-04-14 05:41 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\ServicePackFiles\i386\kernel32.dll
2008-04-14 05:41 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\system32\kernel32.dll
2003-03-31 10:00 14848 865ad7ccb20856727d5bd994b094dc5e c:\windows\$NtServicePackUninstall$\powrprof.dll
2008-04-14 05:42 17408 50a166237a0fa771261275a405646cc0 c:\windows\ServicePackFiles\i386\powrprof.dll
2008-04-14 05:42 17408 50a166237a0fa771261275a405646cc0 c:\windows\system32\powrprof.dll
2003-03-31 10:00 103936 c9f9e3e6b59c6d6cbce7f14494a4518a c:\windows\$NtServicePackUninstall$\imm32.dll
2008-04-14 05:41 110080 0da85218e92526972a821587e6a8bf8f c:\windows\ServicePackFiles\i386\imm32.dll
2008-04-14 05:41 110080 0da85218e92526972a821587e6a8bf8f c:\windows\system32\imm32.dll
.
((((((((((((((((((((((((((((( [email protected]_23.06.40.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-25 03:13:57 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4bc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-28 136600]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-29 112216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 648504]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" [2008-05-01 131072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-21 507224]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
--a------ 2009-01-21 20:48 1591808 c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R0 ati2fwxx;ati2fwxx;c:\windows\System32\Drivers\ati2fwxx.sys [2009-02-18 32768]
R3 ati8yoxx;ati8yoxx; [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-01-21 64160]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-21 942416]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-04-18 204800]

--- Other Services/Drivers In Memory ---
*Deregistered* - AFD
*Deregistered* - Apple Mobile Device
*Deregistered* - Arp1394
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Bonjour Service
*Deregistered* - Cdfs
*Deregistered* - DcomLaunch
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - Fastfat
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - ImapiService
*Deregistered* - IpFilterDriver
*Deregistered* - IpNat
*Deregistered* - iPod Service
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - Kbdclass
*Deregistered* - KSecDD
*Deregistered* - Lavasoft Ad-Aware Service
*Deregistered* - Lbd
*Deregistered* - LightScribeService
*Deregistered* - LinksysUpdater
*Deregistered* - McAfeeFramework
*Deregistered* - McShield
*Deregistered* - McTaskManager
*Deregistered* - mfeapfk
*Deregistered* - mfeavfk
*Deregistered* - mfebopk
*Deregistered* - mfehidk
*Deregistered* - mferkdk
*Deregistered* - mfetdik
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PCIIde
*Deregistered* - pnarp
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - purendis
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Udfs
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - Wanarp
*Deregistered* - WSearch
.
Contents of the 'Scheduled Tasks' folder
2009-02-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-21 20:14]
2008-12-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
2009-02-25 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]
2009-02-22 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.9.30.1.sxt [email protected] []
2009-03-10 c:\windows\Tasks\ParetoLogic Privacy Controls_{CC9FF4C6-0D8B-11DE-ABCE-000EA62D48F3}.job
- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 11:29]
2009-03-10 c:\windows\Tasks\ParetoLogic Privacy Controls_{CFB05A70-0D8B-11DE-ABCE-000EA62D48F3}.job
- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 11:29]
2009-03-10 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 12:25]
2009-03-09 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 13:58]
2009-03-09 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 13:58]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Btasihevurijan - c:\windows\Rhipalega.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-24 23:27:19
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-03-24 23:29:33
ComboFix-quarantined-files.txt 2009-03-25 03:29:31
ComboFix2.txt 2009-03-19 03:39:24
ComboFix3.txt 2009-03-19 03:08:06
Pre-Run: 60,659,863,552 bytes free
Post-Run: 60,642,123,776 bytes free
Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
312 --- E O F --- 2009-03-02 14:44:36

Logfile of HijackThis v1.99.1
Scan saved at 11:31:54 PM, on 24/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Administrator\Desktop\hijack this\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223302063890
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - 
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp3.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe" -s "C:\Program Files\Linksys\Linksys Updater\conf\wrapper.conf (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe


----------



## Cookiegal (Aug 27, 2003)

Download Dial-a-Fix from the following link.

http://www.majorgeeks.com/download4899.html

Install and run the program and heck:

*Fix SSL/HTTPS/Cryptography* and click Go.

Then reboot and run ComboFix again and post the new log please.


----------



## middling (Mar 10, 2009)

Done. Here's the log as requested. Apparently there are too many characters to post so I will post the last few pages separately.Thank you.

ComboFix 09-03-26.02 - Administrator 2009-03-26 23:21:26.7 - NTFSx86
Running from: c:\documents and settings\Administrator\Desktop\combofix.exe
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-02-27 to 2009-03-27 )))))))))))))))))))))))))))))))
.

2009-03-26 23:17 . 2009-03-26 23:17 d-------- c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP
2009-03-26 23:04 . 2009-03-26 23:04 d-------- C:\combo-fix
2009-03-26 22:58 . 2009-03-26 22:58 d-------- c:\windows\system32\CatRoot2
2009-03-23 22:17 . 2009-03-23 22:17 d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-23 22:17 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-23 22:16 . 2009-03-23 22:17 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-23 22:16 . 2009-03-23 22:16 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-23 22:16 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-10 11:55 . 2009-03-10 11:55 d-------- c:\documents and settings\Administrator\Application Data\ParetoLogic
2009-03-10 11:54 . 2009-03-10 11:54 d-------- c:\program files\ParetoLogic
2009-03-10 11:54 . 2009-03-10 11:54 d-------- c:\program files\Common Files\ParetoLogic
2009-03-10 11:54 . 2009-03-10 11:54 d-------- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-03-10 11:54 . 2009-03-10 11:54 d-------- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-03-09 18:17 . 2009-03-10 23:30 d-------- c:\program files\RegCure
2009-03-08 22:58 . 2009-03-08 23:07 1,905 --a------ c:\windows\diagwrn.xml
2009-03-08 22:58 . 2009-03-08 23:07 1,905 --a------ c:\windows\diagerr.xml
2009-03-08 22:57 . 2009-03-08 22:57 d-------- c:\program files\Microsoft Windows OneCare Live
2009-03-08 21:41 . 2009-03-08 21:41 d-------- C:\oldregistry
2009-03-05 15:07 . 2001-08-17 13:12 117,760 --a------ c:\windows\system32\drivers\e100b325.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-18 05:17 --------- d-----w c:\program files\LimeWire
2009-03-18 05:15 --------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2009-02-18 05:46 --------- d-----w c:\program files\Hewlett-Packard
2009-02-18 05:45 --------- d-----w c:\program files\Click And Fix Trial
2009-02-18 05:43 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-18 05:43 --------- d-----w c:\program files\Common Files\ArcSoft
2009-02-18 05:43 --------- d-----w c:\program files\ArcSoft
2009-02-18 05:08 32,768 ----a-w c:\windows\system32\drivers\ati2fwxx.sys
.

------- Sigcheck -------

2003-03-31 10:00 12800 0f7d9c87b0ce1fa520473119752c6f79 c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-14 05:42 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\ServicePackFiles\i386\svchost.exe
2009-02-16 22:59 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\system32\svchost.exe
2009-02-16 22:59 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\system32\dllcache\svchost.exe

2003-03-31 10:00 560128 dd9269230c21ee8fb7fd3fccc3b1cfcb c:\windows\$NtServicePackUninstall$\user32.dll
2008-04-14 05:42 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\ServicePackFiles\i386\user32.dll
2008-04-14 05:42 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\system32\user32.dll

2003-03-31 10:00 75264 8529c295df59b564d37a73b5629162b1 c:\windows\$NtServicePackUninstall$\ws2_32.dll
2008-04-14 05:42 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\ServicePackFiles\i386\ws2_32.dll
2008-04-14 05:42 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\system32\ws2_32.dll

2008-06-23 12:01 827904 c66402a06b83b036c195242c0c8cf83c c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
2008-08-26 05:08 827904 77c192fe56a70d7fa0247ba0a6201c32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
2008-10-16 16:24 827904 0d5b75171ff51775b630a431b6c667e8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
2008-12-20 19:56 827904 044e0a4e9fe97c0fb9afe9c89e2a82e6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
2003-03-31 10:00 599040 f3587750a7481dccbea13d473a0700be c:\windows\$NtServicePackUninstall$\wininet.dll
2008-04-14 05:42 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\ie7\wininet.dll
2007-08-13 18:54 818688 a4a0fc92358f39538a6494c42ef99fe9 c:\windows\ie7updates\KB953838-IE7\wininet.dll
2008-06-23 12:57 826368 8c13d4a7479fa0a026eda8abce82c0ed c:\windows\ie7updates\KB956390-IE7\wininet.dll
2008-08-26 03:24 826368 ef8eba98145bfa44e80d17a3b3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
2008-04-14 05:42 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\ServicePackFiles\i386\wininet.dll
2008-06-23 12:57 826368 8c13d4a7479fa0a026eda8abce82c0ed c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2GDR\wininet.dll
2008-06-23 12:01 827904 c66402a06b83b036c195242c0c8cf83c c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2QFE\wininet.dll
2008-06-23 11:09 666112 f12fbb673de9cc802c5dc518fe99aa2f c:\windows\SoftwareDistribution\Download\1c0a4d9681e4b56278490848f7545aa5\sp3gdr\wininet.dll
2008-06-23 10:54 666624 972299b7241ec325d8c7e5638c884925 c:\windows\SoftwareDistribution\Download\1c0a4d9681e4b56278490848f7545aa5\sp3qfe\wininet.dll
2008-12-20 19:15 826368 a82935d32d0672e8ff4e91ae398e901c c:\windows\system32\wininet.dll
2008-12-20 19:15 826368 a82935d32d0672e8ff4e91ae398e901c c:\windows\system32\dllcache\wininet.dll

2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2003-03-31 10:00 332928 244a2f9816bc9b593957281ef577d976 c:\windows\$NtServicePackUninstall$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\dllcache\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\drivers\tcpip.sys

2003-03-31 10:00 516608 2246d8d8f4714a2cedb21ab9b1849abb c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-14 05:42 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe
2008-04-14 05:42 507904 ed0ef0a136dec83df69f04118870003e c:\windows\system32\winlogon.exe

2003-03-31 10:00 167552 3b350e5a2a5e951453f3993275a4523a c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-14 00:50 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2008-04-14 00:50 182656 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys

2008-04-14 00:23 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\ServicePackFiles\i386\ip6fw.sys
2008-04-14 00:23 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\drivers\ip6fw.sys

2008-08-14 16:39 2066048 a25e9b86effb2af33bf51e676b68bfb0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
2003-03-31 10:00 1920512 71ff7ec0eeea4896dd219c661c90db29 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
2008-11-21 09:42 2023936 7f653a89f6e89e3ae0d49830eece35d4 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
2008-08-14 05:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\Driver Cache\i386\ntkrnlpa.exe
2008-04-14 00:01 2065792 109f8e3e3c82e337bb71b6bc9b895d61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
2008-08-14 05:33 2023936 8206b5f94a6a9450e934029420c1693f c:\windows\system32\ntkrnlpa.exe
2008-08-14 05:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\system32\dllcache\ntkrnlpa.exe

2008-08-14 17:11 2189184 31914172342bff330063f343ac6958fe c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
2003-03-31 10:00 1891840 25a90eb7d1eee12ab198dc9421bfa353 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
2008-11-21 09:42 2145280 40f8880122a030a7e9e1fedea833b33d c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
2008-08-14 06:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\Driver Cache\i386\ntoskrnl.exe
2008-04-14 00:57 2188928 0c89243c7c3ee199b96fcc16990e0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
2008-08-14 06:09 2145280 f6f8245b3a2e9ca834dd318e7ae0c6d0 c:\windows\system32\ntoskrnl.exe
2008-08-14 06:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\system32\dllcache\ntoskrnl.exe

2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\explorer.exe
2003-03-31 10:00 1004032 a82b28bfc2e4455fe43022a498c0ef0a c:\windows\$NtServicePackUninstall$\explorer.exe
2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\ServicePackFiles\i386\explorer.exe

2003-03-31 10:00 101376 e3df4a0252d287c44606ee55355e1623 c:\windows\$NtServicePackUninstall$\services.exe
2008-04-14 05:42 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\ServicePackFiles\i386\services.exe
2008-04-14 05:42 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\system32\services.exe

2003-03-31 10:00 11776 b2b6ba905d0e3f8a32a0eb3b4051807b c:\windows\$NtServicePackUninstall$\lsass.exe
2008-04-14 05:42 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\ServicePackFiles\i386\lsass.exe
2008-04-14 05:42 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\system32\lsass.exe

2003-03-31 10:00 13312 414de7cf9d3f19c3ea902f1bb38ec116 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 05:42 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-14 05:42 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\system32\ctfmon.exe

2003-03-31 10:00 51200 9b4155ba58192d4073082b8fc5d42612 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-14 05:42 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-14 05:42 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\system32\spoolsv.exe

2003-03-31 10:00 22016 e931e0a2b8bf0019db902e98d03662cb c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 05:42 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-14 05:42 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\system32\userinit.exe

2003-03-31 10:00 200192 fe84e045a09a4abc4deef7270448b64e c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-14 05:42 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-04-14 05:42 295424 ff3477c03be7201c294c35f684b3479f c:\windows\system32\termsrv.dll

2003-03-31 10:00 930304 8f162dc91d67d87c1a481bf602a9dac8 c:\windows\$NtServicePackUninstall$\kernel32.dll
2008-04-14 05:41 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\ServicePackFiles\i386\kernel32.dll
2008-04-14 05:41 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\system32\kernel32.dll

2003-03-31 10:00 14848 865ad7ccb20856727d5bd994b094dc5e c:\windows\$NtServicePackUninstall$\powrprof.dll
2008-04-14 05:42 17408 50a166237a0fa771261275a405646cc0 c:\windows\ServicePackFiles\i386\powrprof.dll
2008-04-14 05:42 17408 50a166237a0fa771261275a405646cc0 c:\windows\system32\powrprof.dll

2003-03-31 10:00 103936 c9f9e3e6b59c6d6cbce7f14494a4518a c:\windows\$NtServicePackUninstall$\imm32.dll
2008-04-14 05:41 110080 0da85218e92526972a821587e6a8bf8f c:\windows\ServicePackFiles\i386\imm32.dll
2008-04-14 05:41 110080 0da85218e92526972a821587e6a8bf8f c:\windows\system32\imm32.dll
.
((((((((((((((((((((((((((((( [email protected]_23.06.40.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-27 03:17:58 61,457 ----a-w c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP\WiseCustomCalla.dll
+ 2009-03-27 03:24:21 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_49c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-28 136600]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-29 112216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 648504]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" [2008-05-01 131072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-21 507224]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
--a------ 2009-01-21 20:48 1591808 c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 ati2fwxx;ati2fwxx;c:\windows\System32\Drivers\ati2fwxx.sys [2009-02-18 32768]
R3 ati8yoxx;ati8yoxx; [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-01-21 64160]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-21 942416]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-04-18 204800]


----------



## middling (Mar 10, 2009)

Next few pages

--- Other Services/Drivers In Memory ---

*Deregistered* - AFD
*Deregistered* - Apple Mobile Device
*Deregistered* - Arp1394
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Bonjour Service
*Deregistered* - Cdfs
*Deregistered* - DcomLaunch
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - Fastfat
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - ImapiService
*Deregistered* - IpFilterDriver
*Deregistered* - IpNat
*Deregistered* - iPod Service
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - Kbdclass
*Deregistered* - KSecDD
*Deregistered* - Lavasoft Ad-Aware Service
*Deregistered* - Lbd
*Deregistered* - LightScribeService
*Deregistered* - LinksysUpdater
*Deregistered* - McAfeeFramework
*Deregistered* - McShield
*Deregistered* - McTaskManager
*Deregistered* - mfeapfk
*Deregistered* - mfeavfk
*Deregistered* - mfebopk
*Deregistered* - mfehidk
*Deregistered* - mferkdk
*Deregistered* - mfetdik
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PCIIde
*Deregistered* - pnarp
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - purendis
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Udfs
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - Wanarp
*Deregistered* - WSearch
.
Contents of the 'Scheduled Tasks' folder

2009-02-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-21 20:14]

2008-12-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-02-25 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

2009-02-22 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.9.30.1.sxt [email protected] []

2009-03-10 c:\windows\Tasks\ParetoLogic Privacy Controls_{CC9FF4C6-0D8B-11DE-ABCE-000EA62D48F3}.job
- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 11:29]

2009-03-10 c:\windows\Tasks\ParetoLogic Privacy Controls_{CFB05A70-0D8B-11DE-ABCE-000EA62D48F3}.job
- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 11:29]

2009-03-10 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 12:25]

2009-03-09 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 13:58]

2009-03-09 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 13:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-26 23:25:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ... 

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\windows\system32\java.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\windows\system32\searchindexer.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-26 23:30:43 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2009-03-27 03:30:37
ComboFix2.txt 2009-03-26 20:41:23
ComboFix3.txt 2009-03-25 03:29:35
ComboFix4.txt 2009-03-19 03:39:24
ComboFix5.txt 2009-03-27 03:02:14

Pre-Run: 60,664,864,768 bytes free
Post-Run: 60,652,384,256 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
321 --- E O F --- 2009-03-02 14:44:36


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the code box below into it:


```
DirLook::
c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP

File::
c:\windows\system32\drivers\ati2fwxx.sys

Driver::
ati2fwxx
ati8yoxx
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## middling (Mar 10, 2009)

Hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 1:55:25 PM, on 17/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Administrator\Desktop\hijack this\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Ygucerutewotevig] rundll32.exe "C:\WINDOWS\epulukac.dll",e
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223302063890
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - 
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp3.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: qghmiyo - qghmiyo.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe" -s "C:\Program Files\Linksys\Linksys Updater\conf\wrapper.conf (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe


----------



## Cookiegal (Aug 27, 2003)

I've deleted your ComboFix log posts as the font was too large causing the screen to scroll sideways.

Please repost it and just use the default font without editing anything.


----------



## middling (Mar 10, 2009)

Sorry- don't know what happened, I'll try again. First, combofix file

ComboFix 09-03-26.02 - Administrator 2009-03-30 18:02:00.9 - NTFSx86
Running from: c:\documents and settings\Administrator\Desktop\combofix.exe
Command switches used :: D:\CFscript.txt
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
c:\windows\system32\drivers\ati2fwxx.sys
.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.
2009-03-26 23:17 . 2009-03-26 23:17 d-------- c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP
2009-03-26 23:04 . 2009-03-26 23:04 d-------- C:\combo-fix
2009-03-26 22:58 . 2009-03-26 22:58 d-------- c:\windows\system32\CatRoot2
2009-03-23 22:17 . 2009-03-23 22:17 d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-23 22:17 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-23 22:16 . 2009-03-23 22:17 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-23 22:16 . 2009-03-23 22:16 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-23 22:16 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-10 11:55 . 2009-03-10 11:55 d-------- c:\documents and settings\Administrator\Application Data\ParetoLogic
2009-03-10 11:54 . 2009-03-10 11:54 d-------- c:\program files\ParetoLogic
2009-03-10 11:54 . 2009-03-10 11:54 d-------- c:\program files\Common Files\ParetoLogic
2009-03-10 11:54 . 2009-03-10 11:54 d-------- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-03-10 11:54 . 2009-03-10 11:54 d-------- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-03-09 18:17 . 2009-03-10 23:30 d-------- c:\program files\RegCure
2009-03-08 22:58 . 2009-03-08 23:07 1,905 --a------ c:\windows\diagwrn.xml
2009-03-08 22:58 . 2009-03-08 23:07 1,905 --a------ c:\windows\diagerr.xml
2009-03-08 22:57 . 2009-03-08 22:57 d-------- c:\program files\Microsoft Windows OneCare Live
2009-03-08 21:41 . 2009-03-08 21:41 d-------- C:\oldregistry
2009-03-05 15:07 . 2001-08-17 13:12 117,760 --a------ c:\windows\system32\drivers\e100b325.sys
2009-02-19 21:39 . 2009-03-30 17:58 664 --a------ c:\windows\system32\d3d9caps.dat
2009-02-18 01:08 . 2009-02-18 01:08 287 --a------ c:\windows\system32\MRT.INI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-18 05:17 --------- d-----w c:\program files\LimeWire
2009-03-18 05:15 --------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2009-02-18 05:46 --------- d-----w c:\program files\Hewlett-Packard
2009-02-18 05:45 --------- d-----w c:\program files\Click And Fix Trial
2009-02-18 05:43 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-18 05:43 --------- d-----w c:\program files\Common Files\ArcSoft
2009-02-18 05:43 --------- d-----w c:\program files\ArcSoft
2009-02-17 02:59 14,336 ----a-w c:\windows\system32\svchost.exe
2009-01-22 00:15 15,688 ----a-w c:\windows\system32\lsdelete.exe
2008-12-29 00:15 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-12-20 23:15 347,136 ----a-w c:\windows\system32\dxtmsft(2).dll
2008-12-20 23:15 214,528 ----a-w c:\windows\system32\dxtrans(2).dll
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP ----
2009-03-26 23:17 61457 --a------ c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP\WiseCustomCalla.dll

------- Sigcheck -------
2003-03-31 10:00 12800 0f7d9c87b0ce1fa520473119752c6f79 c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-14 05:42 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\ServicePackFiles\i386\svchost.exe
2009-02-16 22:59 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\system32\svchost.exe
2009-02-16 22:59 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\system32\dllcache\svchost.exe
2003-03-31 10:00 560128 dd9269230c21ee8fb7fd3fccc3b1cfcb c:\windows\$NtServicePackUninstall$\user32.dll
2008-04-14 05:42 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\ServicePackFiles\i386\user32.dll
2008-04-14 05:42 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\system32\user32.dll
2003-03-31 10:00 75264 8529c295df59b564d37a73b5629162b1 c:\windows\$NtServicePackUninstall$\ws2_32.dll
2008-04-14 05:42 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\ServicePackFiles\i386\ws2_32.dll
2008-04-14 05:42 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\system32\ws2_32.dll
2008-06-23 12:01 827904 c66402a06b83b036c195242c0c8cf83c c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
2008-08-26 05:08 827904 77c192fe56a70d7fa0247ba0a6201c32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
2008-10-16 16:24 827904 0d5b75171ff51775b630a431b6c667e8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
2008-12-20 19:56 827904 044e0a4e9fe97c0fb9afe9c89e2a82e6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
2003-03-31 10:00 599040 f3587750a7481dccbea13d473a0700be c:\windows\$NtServicePackUninstall$\wininet.dll
2008-04-14 05:42 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\ie7\wininet.dll
2007-08-13 18:54 818688 a4a0fc92358f39538a6494c42ef99fe9 c:\windows\ie7updates\KB953838-IE7\wininet.dll
2008-06-23 12:57 826368 8c13d4a7479fa0a026eda8abce82c0ed c:\windows\ie7updates\KB956390-IE7\wininet.dll
2008-08-26 03:24 826368 ef8eba98145bfa44e80d17a3b3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
2008-04-14 05:42 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\ServicePackFiles\i386\wininet.dll
2008-06-23 12:57 826368 8c13d4a7479fa0a026eda8abce82c0ed c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2GDR\wininet.dll
2008-06-23 12:01 827904 c66402a06b83b036c195242c0c8cf83c c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2QFE\wininet.dll
2008-06-23 11:09 666112 f12fbb673de9cc802c5dc518fe99aa2f c:\windows\SoftwareDistribution\Download\1c0a4d9681e4b56278490848f7545aa5\sp3gdr\wininet.dll
2008-06-23 10:54 666624 972299b7241ec325d8c7e5638c884925 c:\windows\SoftwareDistribution\Download\1c0a4d9681e4b56278490848f7545aa5\sp3qfe\wininet.dll
2008-12-20 19:15 826368 a82935d32d0672e8ff4e91ae398e901c c:\windows\system32\wininet.dll
2008-12-20 19:15 826368 a82935d32d0672e8ff4e91ae398e901c c:\windows\system32\dllcache\wininet.dll
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2003-03-31 10:00 332928 244a2f9816bc9b593957281ef577d976 c:\windows\$NtServicePackUninstall$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\dllcache\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\drivers\tcpip.sys
2003-03-31 10:00 516608 2246d8d8f4714a2cedb21ab9b1849abb c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-14 05:42 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe
2008-04-14 05:42 507904 ed0ef0a136dec83df69f04118870003e c:\windows\system32\winlogon.exe
2003-03-31 10:00 167552 3b350e5a2a5e951453f3993275a4523a c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-14 00:50 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2008-04-14 00:50 182656 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys
2008-04-14 00:23 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\ServicePackFiles\i386\ip6fw.sys
2008-04-14 00:23 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\drivers\ip6fw.sys
2008-08-14 16:39 2066048 a25e9b86effb2af33bf51e676b68bfb0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
2003-03-31 10:00 1920512 71ff7ec0eeea4896dd219c661c90db29 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
2008-11-21 09:42 2023936 7f653a89f6e89e3ae0d49830eece35d4 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
2008-08-14 05:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\Driver Cache\i386\ntkrnlpa.exe
2008-04-14 00:01 2065792 109f8e3e3c82e337bb71b6bc9b895d61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
2008-08-14 05:33 2023936 8206b5f94a6a9450e934029420c1693f c:\windows\system32\ntkrnlpa.exe
2008-08-14 05:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\system32\dllcache\ntkrnlpa.exe
2008-08-14 17:11 2189184 31914172342bff330063f343ac6958fe c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
2003-03-31 10:00 1891840 25a90eb7d1eee12ab198dc9421bfa353 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
2008-11-21 09:42 2145280 40f8880122a030a7e9e1fedea833b33d c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
2008-08-14 06:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\Driver Cache\i386\ntoskrnl.exe
2008-04-14 00:57 2188928 0c89243c7c3ee199b96fcc16990e0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
2008-08-14 06:09 2145280 f6f8245b3a2e9ca834dd318e7ae0c6d0 c:\windows\system32\ntoskrnl.exe
2008-08-14 06:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\system32\dllcache\ntoskrnl.exe
2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\explorer.exe
2003-03-31 10:00 1004032 a82b28bfc2e4455fe43022a498c0ef0a c:\windows\$NtServicePackUninstall$\explorer.exe
2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\ServicePackFiles\i386\explorer.exe
2003-03-31 10:00 101376 e3df4a0252d287c44606ee55355e1623 c:\windows\$NtServicePackUninstall$\services.exe
2008-04-14 05:42 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\ServicePackFiles\i386\services.exe
2008-04-14 05:42 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\system32\services.exe
2003-03-31 10:00 11776 b2b6ba905d0e3f8a32a0eb3b4051807b c:\windows\$NtServicePackUninstall$\lsass.exe
2008-04-14 05:42 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\ServicePackFiles\i386\lsass.exe
2008-04-14 05:42 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\system32\lsass.exe
2003-03-31 10:00 13312 414de7cf9d3f19c3ea902f1bb38ec116 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 05:42 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-14 05:42 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\system32\ctfmon.exe
2003-03-31 10:00 51200 9b4155ba58192d4073082b8fc5d42612 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-14 05:42 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-14 05:42 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\system32\spoolsv.exe
2003-03-31 10:00 22016 e931e0a2b8bf0019db902e98d03662cb c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 05:42 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-14 05:42 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\system32\userinit.exe
2003-03-31 10:00 200192 fe84e045a09a4abc4deef7270448b64e c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-14 05:42 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-04-14 05:42 295424 ff3477c03be7201c294c35f684b3479f c:\windows\system32\termsrv.dll
2003-03-31 10:00 930304 8f162dc91d67d87c1a481bf602a9dac8 c:\windows\$NtServicePackUninstall$\kernel32.dll
2008-04-14 05:41 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\ServicePackFiles\i386\kernel32.dll
2008-04-14 05:41 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\system32\kernel32.dll
2003-03-31 10:00 14848 865ad7ccb20856727d5bd994b094dc5e c:\windows\$NtServicePackUninstall$\powrprof.dll
2008-04-14 05:42 17408 50a166237a0fa771261275a405646cc0 c:\windows\ServicePackFiles\i386\powrprof.dll
2008-04-14 05:42 17408 50a166237a0fa771261275a405646cc0 c:\windows\system32\powrprof.dll
2003-03-31 10:00 103936 c9f9e3e6b59c6d6cbce7f14494a4518a c:\windows\$NtServicePackUninstall$\imm32.dll
2008-04-14 05:41 110080 0da85218e92526972a821587e6a8bf8f c:\windows\ServicePackFiles\i386\imm32.dll
2008-04-14 05:41 110080 0da85218e92526972a821587e6a8bf8f c:\windows\system32\imm32.dll
.
((((((((((((((((((((((((((((( [email protected]_23.06.40.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-27 03:17:58 61,457 ----a-w c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP\WiseCustomCalla.dll
+ 2009-03-29 23:47:04 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-28 136600]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-29 112216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 648504]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" [2008-05-01 131072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-21 507224]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
--a------ 2009-01-21 20:48 1591808 c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-01-21 64160]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-21 942416]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-04-18 204800]

--- Other Services/Drivers In Memory ---
*Deregistered* - AFD
*Deregistered* - Apple Mobile Device
*Deregistered* - Arp1394
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Bonjour Service
*Deregistered* - Cdfs
*Deregistered* - DcomLaunch
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - Fastfat
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - ImapiService
*Deregistered* - IpFilterDriver
*Deregistered* - IpNat
*Deregistered* - iPod Service
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - Kbdclass
*Deregistered* - KSecDD
*Deregistered* - Lavasoft Ad-Aware Service
*Deregistered* - Lbd
*Deregistered* - LightScribeService
*Deregistered* - LinksysUpdater
*Deregistered* - McAfeeFramework
*Deregistered* - McShield
*Deregistered* - McTaskManager
*Deregistered* - mfeapfk
*Deregistered* - mfeavfk
*Deregistered* - mfebopk
*Deregistered* - mfehidk
*Deregistered* - mferkdk
*Deregistered* - mfetdik
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PCIIde
*Deregistered* - pnarp
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - purendis
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Udfs
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - Wanarp
*Deregistered* - WSearch
.
Contents of the 'Scheduled Tasks' folder
2009-02-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-21 20:14]
2008-12-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
2009-02-25 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]
2009-02-22 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.9.30.1.sxt [email protected] []
2009-03-10 c:\windows\Tasks\ParetoLogic Privacy Controls_{CC9FF4C6-0D8B-11DE-ABCE-000EA62D48F3}.job
- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 11:29]
2009-03-10 c:\windows\Tasks\ParetoLogic Privacy Controls_{CFB05A70-0D8B-11DE-ABCE-000EA62D48F3}.job
- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 11:29]
2009-03-10 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 12:25]
2009-03-09 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 13:58]
2009-03-09 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 13:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 18:03:33
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(528)
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-03-30 18:05:26
ComboFix-quarantined-files.txt 2009-03-30 22:05:24
ComboFix2.txt 2009-03-29 23:53:54
ComboFix3.txt 2009-03-27 03:30:45
ComboFix4.txt 2009-03-26 20:41:23
ComboFix5.txt 2009-03-30 22:01:27
Pre-Run: 60,668,108,800 bytes free
Post-Run: 60,651,245,568 bytes free
Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
320 --- E O F --- 2009-03-02 14:44:36


----------



## middling (Mar 10, 2009)

here's the hijack log

Logfile of HijackThis v1.99.1
Scan saved at 6:08:27 PM, on 30/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Administrator\Desktop\hijack this\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223302063890
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - 
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp3.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe" -s "C:\Program Files\Linksys\Linksys Updater\conf\wrapper.conf (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe


----------



## Cookiegal (Aug 27, 2003)

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have Java then you will need to go to the following link and download the latest version:

*JRE 6 Update 13*

Instructions for Kaspersky scan:


Read through the requirements and privacy statement and click on *Accept* button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*.
When the downloads have finished, click on *Settings*.
Make sure the following is checked. 
*Spyware, Adware, Dialers, and other potentially dangerous programs 
Archives
Mail databases*

Click on *My Computer* under *Scan*.
Once the scan is complete, it will display the results. Click on *View Scan Report*.
You will see a list of infected items there. Click on *Save Report As...*.
Save this report to a convenient place. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button.
Please post this log in your next reply.


----------



## middling (Mar 10, 2009)

I apologise if this is a stupid question but, how do I run an on-line scanner when my problem is that I can't go online on the infected machine .Can I save it to disc and tranfer to the bad machine?


----------



## Cookiegal (Aug 27, 2003)

I was hoping you could connect by now.

What happens when you try to go on-line?

Have you tried other browsers?


----------



## middling (Mar 10, 2009)

Nothing noticeable has changed. I try to go online and I get the usual "no connection" sign, and according to "network connection" I have no connection. ( Its just blank). After all your work, should I try to re-install the driver for the router? I tried many times before but the installation would not recognise that the machine was plugged in.


----------



## Cookiegal (Aug 27, 2003)

Download GMER from: http://gmer.net/index.php

Save it on your desktop and unzip it.

Double click the gmer.exe to run it and select the rootkit tab and press scan. When the scan is done, click *Copy*. This will copy the report to the clipboard. Paste it into Notepad and save it and also paste the log report back here please.


----------



## middling (Mar 10, 2009)

Here's the GMER report as requested

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-03-31 20:19:33
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF76BF87E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF76BFC10]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF28942F1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF289431D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF28942C7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF2894307]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF2894349]
---- Kernel code sections - GMER 1.0.15 ----
PAGE ntoskrnl.exe!ZwOpenKey 80572BF4 5 Bytes JMP F28942CB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 8058E695 5 Bytes JMP F289434D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80591F8B 7 Bytes JMP F2894321 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80593334 7 Bytes JMP F28942F5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 80655B56 7 Bytes JMP F289430B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? Combo-Fix.sys The system cannot find the file specified. !
? C:\combofix\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\SearchIndexer.exe[1700] kernel32.dll!WriteFile 7C810E17 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet001\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet001\Services\[email protected] \systemroot\system32\drivers\TDSSpqlt.sys
Reg HKLM\SYSTEM\ControlSet001\Services\[email protected] file system
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules 
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\drivers\TDSSpqlt.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSoiqt.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSpqlt.dat
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSoiqh.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSpqlt.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSScfum.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSsihc.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSrhym.log
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSStkdv.log
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] \systemroot\system32\drivers\TDSSpqlt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] file system
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules 
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\drivers\TDSSpqlt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSoiqt.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSpqlt.dat
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSoiqh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSpqlt.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSScfum.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSsihc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSrhym.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSStkdv.log
---- EOF - GMER 1.0.15 ----


----------



## Cookiegal (Aug 27, 2003)

*Download and scan with* *SUPERAntiSpyware* Free for Home Users
Double-click *SUPERAntiSpyware.exe* and use the default settings for installation. 
An icon will be created on your desktop. Double-click that icon to launch the program. 
If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (_If you encounter any problems while downloading the updates, manually download and unzip them from here._) 
Under "*Configuration and Preferences*", click the *Preferences* button. 
Click the *Scanning Control* tab. 
Under *Scanner Options* make sure the following are checked _(leave all others unchecked)_:
_Close browsers before scanning._ 
_Scan for tracking cookies._ 
_Terminate memory threats before quarantining._

Click the "*Close*" button to leave the control center screen. 
Back on the main screen, under "*Scan for Harmful Software*" click *Scan your computer*. 
On the left, make sure you check *C:\Fixed Drive*. 
On the right, under "*Complete Scan*", choose *Perform Complete Scan*. 
Click "*Next*" to start the scan. Please be patient while it scans your computer. 
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*". 
Make sure everything has a checkmark next to it and click "*Next*". 
A notification will appear that "_Quarantine and Removal is Complete_". Click "*OK*" and then click the "*Finish*" button to return to the main menu. 
If asked if you want to reboot, click "*Yes*". 
To retrieve the removal information after reboot, launch SUPERAntispyware again.
_Click *Preferences*, then click the *Statistics/Logs* tab._ 
_Under Scanner Logs, double-click *SUPERAntiSpyware Scan Log*._ 
_If there are several logs, click the current dated log and press *View log*. A text file will open in your default text editor._ 
*Please copy and paste the Scan Log results in your next reply.*

Click *Close* to exit the program.


----------



## middling (Mar 10, 2009)

Hi there, here's the results of the scan.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 04/02/2009 at 06:48 PM
Application Version : 4.26.1000
Core Rules Database Version : 3816
Trace Rules Database Version: 1770
Scan type : Complete Scan
Total Scan Time : 01:05:19
Memory items scanned : 531
Memory threats detected : 0
Registry items scanned : 5237
Registry threats detected : 0
File items scanned : 43695
File threats detected : 95
Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\admini[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][11].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][6].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][7].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][8].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][3].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][3].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][3].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected]ks.downloadsoftware4free[1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][9].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][5].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][10].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected]accountservices.112.2o7[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt
Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\ATI2FWXX.SYS.VIR


----------



## Cookiegal (Aug 27, 2003)

Please turn off Ad-Watch before doing this or it will interfere with the changes we want to make.

Open Notepad and copy and paste the text in the code box below into it:


```
File::
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSpqlt.dat
c:\windows\system32\TDSSoiqh.dll
c:\windows\system32\TDSSpqlt.dll
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSSpqlt.sys
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSStkdv.log
c:\windows\system32\drivers\TDSSpqlt.sys

Registry:
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv.sys]
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*

Also, please tell me what your D and F drives are.


----------



## middling (Mar 10, 2009)

Hi CG. I want to thank you again for all your help- I'm sure learning a lot! I won't be near the affected pc till late tomorrow night so I will perform the commands then. My D drive is a cd/dvd r drive and my F drive is what is assigned to moveable storage such as usb drives. I did try to reinstall my linksys router software again ( just hoping) but as had happened previously, the computer refuses to recognize that the router is plugged into an outlet even though my other two computers are on-line through the same router. Weird. Will post tmw night.


----------



## Cookiegal (Aug 27, 2003)

That's fine.


----------



## middling (Mar 10, 2009)

Here's the latest combofix log

ComboFix 09-03-26.02 - Administrator 2009-04-05 23:31:02.10 - NTFSx86Running from: c:\documents and settings\Administrator\Desktop\combofix.exeCommand switches used :: J:\CFScript.txt * Resident AV is activeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.- REDUCED FUNCTIONALITY MODE -FILE ::c:\windows\system32\drivers\TDSSpqlt.sysc:\windows\system32\TDSScfum.dllc:\windows\system32\TDSSlxwp.dllc:\windows\system32\TDSSnmxh.logc:\windows\system32\TDSSoiqh.dllc:\windows\system32\TDSSoiqt.dllc:\windows\system32\TDSSpqlt.datc:\windows\system32\TDSSpqlt.dllc:\windows\system32\TDSSpqlt.sysc:\windows\system32\TDSSrhym.logc:\windows\system32\TDSSsihc.dllc:\windows\system32\TDSStkdv.log.((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 ))))))))))))))))))))))))))))))).2009-04-02 20:02 . 2009-04-02 20:03 d--------	c:\windows\LastGood2009-04-02 17:39 . 2009-04-02 17:39 d--------	c:\program files\SUPERAntiSpyware2009-04-02 17:39 . 2009-04-02 17:39 d--------	c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com2009-04-02 17:39 . 2009-04-02 17:39 d--------	c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com2009-04-02 17:38 . 2009-04-02 17:38 d--------	c:\program files\Common Files\Wise Installation Wizard2009-03-26 23:17 . 2009-03-26 23:17 d--------	c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP2009-03-26 23:04 . 2009-03-26 23:04 d--------	C:\combo-fix2009-03-26 22:58 . 2009-03-26 22:58 d--------	c:\windows\system32\CatRoot22009-03-23 22:17 . 2009-03-23 22:17 d--------	c:\documents and settings\Administrator\Application Data\Malwarebytes2009-03-23 22:17 . 2009-02-11 10:19	15,504	--a------	c:\windows\system32\drivers\mbam.sys2009-03-23 22:16 . 2009-03-23 22:17 d--------	c:\program files\Malwarebytes' Anti-Malware2009-03-23 22:16 . 2009-03-23 22:16 d--------	c:\documents and settings\All Users\Application Data\Malwarebytes2009-03-23 22:16 . 2009-02-11 10:19	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys2009-03-10 11:55 . 2009-03-10 11:55 d--------	c:\documents and settings\Administrator\Application Data\ParetoLogic2009-03-10 11:54 . 2009-03-10 11:54 d--------	c:\program files\ParetoLogic2009-03-10 11:54 . 2009-03-10 11:54 d--------	c:\program files\Common Files\ParetoLogic2009-03-10 11:54 . 2009-03-10 11:54 d--------	c:\documents and settings\All Users\Application Data\ParetoLogic2009-03-10 11:54 . 2009-03-10 11:54 d--------	c:\documents and settings\All Users\Application Data\Downloaded Installations2009-03-09 18:17 . 2009-03-10 23:30 d--------	c:\program files\RegCure2009-03-08 22:58 . 2009-03-08 23:07	1,905	--a------	c:\windows\diagwrn.xml2009-03-08 22:58 . 2009-03-08 23:07	1,905	--a------	c:\windows\diagerr.xml2009-03-08 22:57 . 2009-03-08 22:57 d--------	c:\program files\Microsoft Windows OneCare Live2009-03-08 21:41 . 2009-03-08 21:41 d--------	C:\oldregistry.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-03-18 05:17	---------	d-----w	c:\program files\LimeWire2009-03-18 05:15	---------	d-----w	c:\documents and settings\Administrator\Application Data\LimeWire2009-02-18 05:46	---------	d-----w	c:\program files\Hewlett-Packard2009-02-18 05:45	---------	d-----w	c:\program files\Click And Fix Trial2009-02-18 05:43	---------	d--h--w	c:\program files\InstallShield Installation Information2009-02-18 05:43	---------	d-----w	c:\program files\Common Files\ArcSoft2009-02-18 05:43	---------	d-----w	c:\program files\ArcSoft2009-02-17 02:59	14,336	----a-w	c:\windows\system32\svchost.exe2009-01-22 00:15	15,688	----a-w	c:\windows\system32\lsdelete.exe.------- Sigcheck -------2003-03-31 10:00 12800 0f7d9c87b0ce1fa520473119752c6f79	c:\windows\$NtServicePackUninstall$\svchost.exe2008-04-14 05:42 14336 27c6d03bcdb8cfeb96b716f3d8be3e18	c:\windows\ServicePackFiles\i386\svchost.exe2009-02-16 22:59 14336 27c6d03bcdb8cfeb96b716f3d8be3e18	c:\windows\system32\svchost.exe2009-02-16 22:59 14336 27c6d03bcdb8cfeb96b716f3d8be3e18	c:\windows\system32\dllcache\svchost.exe2003-03-31 10:00 560128 dd9269230c21ee8fb7fd3fccc3b1cfcb	c:\windows\$NtServicePackUninstall$\user32.dll2008-04-14 05:42 578560 b26b135ff1b9f60c9388b4a7d16f600b	c:\windows\ServicePackFiles\i386\user32.dll2008-04-14 05:42 578560 b26b135ff1b9f60c9388b4a7d16f600b	c:\windows\system32\user32.dll2003-03-31 10:00 75264 8529c295df59b564d37a73b5629162b1	c:\windows\$NtServicePackUninstall$\ws2_32.dll2008-04-14 05:42 82432 2ccc474eb85ceaa3e1fa1726580a3e5a	c:\windows\ServicePackFiles\i386\ws2_32.dll2008-04-14 05:42 82432 2ccc474eb85ceaa3e1fa1726580a3e5a	c:\windows\system32\ws2_32.dll2008-06-23 12:01 827904 c66402a06b83b036c195242c0c8cf83c	c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll2008-08-26 05:08 827904 77c192fe56a70d7fa0247ba0a6201c32	c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll2008-10-16 16:24 827904 0d5b75171ff51775b630a431b6c667e8	c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll2008-12-20 19:56 827904 044e0a4e9fe97c0fb9afe9c89e2a82e6	c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll2003-03-31 10:00 599040 f3587750a7481dccbea13d473a0700be	c:\windows\$NtServicePackUninstall$\wininet.dll2008-04-14 05:42 666112 7a4f775abb2f1c97def3e73afa2faedd	c:\windows\ie7\wininet.dll2007-08-13 18:54 818688 a4a0fc92358f39538a6494c42ef99fe9	c:\windows\ie7updates\KB953838-IE7\wininet.dll2008-06-23 12:57 826368 8c13d4a7479fa0a026eda8abce82c0ed	c:\windows\ie7updates\KB956390-IE7\wininet.dll2008-08-26 03:24 826368 ef8eba98145bfa44e80d17a3b3453300	c:\windows\ie7updates\KB958215-IE7\wininet.dll2008-04-14 05:42 666112 7a4f775abb2f1c97def3e73afa2faedd	c:\windows\ServicePackFiles\i386\wininet.dll2008-06-23 12:57 826368 8c13d4a7479fa0a026eda8abce82c0ed	c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2GDR\wininet.dll2008-06-23 12:01 827904 c66402a06b83b036c195242c0c8cf83c	c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2QFE\wininet.dll2008-06-23 11:09 666112 f12fbb673de9cc802c5dc518fe99aa2f	c:\windows\SoftwareDistribution\Download\1c0a4d9681e4b56278490848f7545aa5\sp3gdr\wininet.dll2008-06-23 10:54 666624 972299b7241ec325d8c7e5638c884925	c:\windows\SoftwareDistribution\Download\1c0a4d9681e4b56278490848f7545aa5\sp3qfe\wininet.dll2008-12-20 19:15 826368 a82935d32d0672e8ff4e91ae398e901c	c:\windows\system32\wininet.dll2008-12-20 19:15 826368 a82935d32d0672e8ff4e91ae398e901c	c:\windows\system32\dllcache\wininet.dll2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e	c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys2003-03-31 10:00 332928 244a2f9816bc9b593957281ef577d976	c:\windows\$NtServicePackUninstall$\tcpip.sys2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733	c:\windows\$NtUninstallKB951748$\tcpip.sys2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733	c:\windows\ServicePackFiles\i386\tcpip.sys2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d	c:\windows\system32\dllcache\tcpip.sys2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d	c:\windows\system32\drivers\tcpip.sys2003-03-31 10:00 516608 2246d8d8f4714a2cedb21ab9b1849abb	c:\windows\$NtServicePackUninstall$\winlogon.exe2008-04-14 05:42 507904 ed0ef0a136dec83df69f04118870003e	c:\windows\ServicePackFiles\i386\winlogon.exe2008-04-14 05:42 507904 ed0ef0a136dec83df69f04118870003e	c:\windows\system32\winlogon.exe2003-03-31 10:00 167552 3b350e5a2a5e951453f3993275a4523a	c:\windows\$NtServicePackUninstall$\ndis.sys2008-04-14 00:50 182656 1df7f42665c94b825322fae71721130d	c:\windows\ServicePackFiles\i386\ndis.sys2008-04-14 00:50 182656 1df7f42665c94b825322fae71721130d	c:\windows\system32\drivers\ndis.sys2008-04-14 00:23 36608 3bb22519a194418d5fec05d800a19ad0	c:\windows\ServicePackFiles\i386\ip6fw.sys2008-04-14 00:23 36608 3bb22519a194418d5fec05d800a19ad0	c:\windows\system32\drivers\ip6fw.sys2008-08-14 16:39 2066048 a25e9b86effb2af33bf51e676b68bfb0	c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe2003-03-31 10:00 1920512 71ff7ec0eeea4896dd219c661c90db29	c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe2008-11-21 09:42 2023936 7f653a89f6e89e3ae0d49830eece35d4	c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe2008-08-14 05:33 2066048 4ac58f03eb94a72809949d757fc39d80	c:\windows\Driver Cache\i386\ntkrnlpa.exe2008-04-14 00:01 2065792 109f8e3e3c82e337bb71b6bc9b895d61	c:\windows\ServicePackFiles\i386\ntkrnlpa.exe2008-08-14 05:33 2023936 8206b5f94a6a9450e934029420c1693f	c:\windows\system32\ntkrnlpa.exe2008-08-14 05:33 2066048 4ac58f03eb94a72809949d757fc39d80	c:\windows\system32\dllcache\ntkrnlpa.exe2008-08-14 17:11 2189184 31914172342bff330063f343ac6958fe	c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe2003-03-31 10:00 1891840 25a90eb7d1eee12ab198dc9421bfa353	c:\windows\$NtServicePackUninstall$\ntoskrnl.exe2008-11-21 09:42 2145280 40f8880122a030a7e9e1fedea833b33d	c:\windows\$NtUninstallKB956841$\ntoskrnl.exe2008-08-14 06:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5	c:\windows\Driver Cache\i386\ntoskrnl.exe2008-04-14 00:57 2188928 0c89243c7c3ee199b96fcc16990e0679	c:\windows\ServicePackFiles\i386\ntoskrnl.exe2008-08-14 06:09 2145280 f6f8245b3a2e9ca834dd318e7ae0c6d0	c:\windows\system32\ntoskrnl.exe2008-08-14 06:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5	c:\windows\system32\dllcache\ntoskrnl.exe2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923	c:\windows\explorer.exe2003-03-31 10:00 1004032 a82b28bfc2e4455fe43022a498c0ef0a	c:\windows\$NtServicePackUninstall$\explorer.exe2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923	c:\windows\ServicePackFiles\i386\explorer.exe2003-03-31 10:00 101376 e3df4a0252d287c44606ee55355e1623	c:\windows\$NtServicePackUninstall$\services.exe2008-04-14 05:42 108544 0e776ed5f7cc9f94299e70461b7b8185	c:\windows\ServicePackFiles\i386\services.exe2008-04-14 05:42 108544 0e776ed5f7cc9f94299e70461b7b8185	c:\windows\system32\services.exe2003-03-31 10:00 11776 b2b6ba905d0e3f8a32a0eb3b4051807b	c:\windows\$NtServicePackUninstall$\lsass.exe2008-04-14 05:42 13312 bf2466b3e18e970d8a976fb95fc1ca85	c:\windows\ServicePackFiles\i386\lsass.exe2008-04-14 05:42 13312 bf2466b3e18e970d8a976fb95fc1ca85	c:\windows\system32\lsass.exe2003-03-31 10:00 13312 414de7cf9d3f19c3ea902f1bb38ec116	c:\windows\$NtServicePackUninstall$\ctfmon.exe2008-04-14 05:42 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3	c:\windows\ServicePackFiles\i386\ctfmon.exe2008-04-14 05:42 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3	c:\windows\system32\ctfmon.exe2003-03-31 10:00 51200 9b4155ba58192d4073082b8fc5d42612	c:\windows\$NtServicePackUninstall$\spoolsv.exe2008-04-14 05:42 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b	c:\windows\ServicePackFiles\i386\spoolsv.exe2008-04-14 05:42 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b	c:\windows\system32\spoolsv.exe2003-03-31 10:00 22016 e931e0a2b8bf0019db902e98d03662cb	c:\windows\$NtServicePackUninstall$\userinit.exe2008-04-14 05:42 26112 a93aee1928a9d7ce3e16d24ec7380f89	c:\windows\ServicePackFiles\i386\userinit.exe2008-04-14 05:42 26112 a93aee1928a9d7ce3e16d24ec7380f89	c:\windows\system32\userinit.exe2003-03-31 10:00 200192 fe84e045a09a4abc4deef7270448b64e	c:\windows\$NtServicePackUninstall$\termsrv.dll2008-04-14 05:42 295424 ff3477c03be7201c294c35f684b3479f	c:\windows\ServicePackFiles\i386\termsrv.dll2008-04-14 05:42 295424 ff3477c03be7201c294c35f684b3479f	c:\windows\system32\termsrv.dll2003-03-31 10:00 930304 8f162dc91d67d87c1a481bf602a9dac8	c:\windows\$NtServicePackUninstall$\kernel32.dll2008-04-14 05:41 989696 c24b983d211c34da8fcc1ac38477971d	c:\windows\ServicePackFiles\i386\kernel32.dll2008-04-14 05:41 989696 c24b983d211c34da8fcc1ac38477971d	c:\windows\system32\kernel32.dll2003-03-31 10:00 14848 865ad7ccb20856727d5bd994b094dc5e	c:\windows\$NtServicePackUninstall$\powrprof.dll2008-04-14 05:42 17408 50a166237a0fa771261275a405646cc0	c:\windows\ServicePackFiles\i386\powrprof.dll2008-04-14 05:42 17408 50a166237a0fa771261275a405646cc0	c:\windows\system32\powrprof.dll2003-03-31 10:00 103936 c9f9e3e6b59c6d6cbce7f14494a4518a	c:\windows\$NtServicePackUninstall$\imm32.dll2008-04-14 05:41 110080 0da85218e92526972a821587e6a8bf8f	c:\windows\ServicePackFiles\i386\imm32.dll2008-04-14 05:41 110080 0da85218e92526972a821587e6a8bf8f	c:\windows\system32\imm32.dll.((((((((((((((((((((((((((((( [email protected]_23.06.40.14 ))))))))))))))))))))))))))))))))))))))))).+ 2009-03-27 03:17:58	61,457	----a-w	c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP\WiseCustomCalla.dll+ 2009-04-02 21:39:12	18,944	----a-r	c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe+ 2009-04-02 21:39:12	65,024	----a-r	c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe+ 2008-04-14 04:10:48	36,352	----a-w	c:\windows\LastGood\system32\drivers\disk.sys+ 2008-04-14 04:15:40	26,368	----a-w	c:\windows\LastGood\system32\drivers\USBSTOR.SYS+ 2009-04-02 23:57:59	16,384	----atw	c:\windows\Temp\Perflib_Perfdata_48c.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-28 136600]"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-29 112216]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 648504]"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" [2008-05-01 131072]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-21 507224]"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]@="Service"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]--a------ 2009-01-21 20:48 1591808 c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe[HKEY_LOCAL_MACHINE\software\microsoft\security center]"UpdatesDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"=R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-21 942416]S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-01-21 64160]S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-04-18 204800]S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]--- Other Services/Drivers In Memory ---*Deregistered* - AFD*Deregistered* - Apple Mobile Device*Deregistered* - Arp1394*Deregistered* - audstub*Deregistered* - Beep*Deregistered* - Bonjour Service*Deregistered* - Cdfs*Deregistered* - DcomLaunch*Deregistered* - dmio*Deregistered* - dmload*Deregistered* - Fastfat*Deregistered* - Fips*Deregistered* - FltMgr*Deregistered* - FontCache3.0.0.0*Deregistered* - Ftdisk*Deregistered* - Gpc*Deregistered* - ImapiService*Deregistered* - IpFilterDriver*Deregistered* - IpNat*Deregistered* - iPod Service*Deregistered* - IPSec*Deregistered* - JavaQuickStarterService*Deregistered* - Kbdclass*Deregistered* - KSecDD*Deregistered* - Lavasoft Ad-Aware Service*Deregistered* - Lbd*Deregistered* - LightScribeService*Deregistered* - LinksysUpdater*Deregistered* - McAfeeFramework*Deregistered* - McShield*Deregistered* - McTaskManager*Deregistered* - mfeapfk*Deregistered* - mfeavfk*Deregistered* - mfebopk*Deregistered* - mfehidk*Deregistered* - mferkdk*Deregistered* - mfetdik*Deregistered* - mnmdd*Deregistered* - MountMgr*Deregistered* - MRxSmb*Deregistered* - Msfs*Deregistered* - MSIServer*Deregistered* - mssmbios*Deregistered* - Mup*Deregistered* - NDIS*Deregistered* - NdisTapi*Deregistered* - NdisWan*Deregistered* - NDProxy*Deregistered* - NetBIOS*Deregistered* - NetBT*Deregistered* - Npfs*Deregistered* - Ntfs*Deregistered* - Null*Deregistered* - PartMgr*Deregistered* - ParVdm*Deregistered* - PCIIde*Deregistered* - pnarp*Deregistered* - PolicyAgent*Deregistered* - PptpMiniport*Deregistered* - ProtectedStorage*Deregistered* - PSched*Deregistered* - purendis*Deregistered* - RasAcd*Deregistered* - Rasl2tp*Deregistered* - RasPppoe*Deregistered* - Raspti*Deregistered* - Rdbss*Deregistered* - RDPCDD*Deregistered* - rdpdr*Deregistered* - RpcSs*Deregistered* - SamSs*Deregistered* - SASDIFSV*Deregistered* - SASENUM*Deregistered* - SASKUTIL*Deregistered* - Spooler*Deregistered* - sr*Deregistered* - swenum*Deregistered* - Tcpip*Deregistered* - TermDD*Deregistered* - TermService*Deregistered* - Update*Deregistered* - VgaSave*Deregistered* - VolSnap*Deregistered* - Wanarp*Deregistered* - WSearch.Contents of the 'Scheduled Tasks' folder2009-02-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-21 20:14]2008-12-12 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]2009-02-25 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]2009-02-22 c:\windows\Tasks\EasyShare Registration Task.job- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.9.30.1.sxt [email protected] []2009-03-10 c:\windows\Tasks\ParetoLogic Privacy Controls_{CC9FF4C6-0D8B-11DE-ABCE-000EA62D48F3}.job- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 11:29]2009-03-10 c:\windows\Tasks\ParetoLogic Privacy Controls_{CFB05A70-0D8B-11DE-ABCE-000EA62D48F3}.job- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 11:29]2009-03-10 c:\windows\Tasks\ParetoLogic Update Version2.job- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 12:25]2009-03-09 c:\windows\Tasks\RegCure Program Check.job- c:\program files\RegCure\RegCure.exe [2008-12-29 13:58]2009-03-09 c:\windows\Tasks\RegCure.job- c:\program files\RegCure\RegCure.exe [2008-12-29 13:58]..------- Supplementary Scan -------.uStart Page = hxxp://google.ca/uInternet Settings,ProxyOverride = *.localIE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htmIE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspxIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-04-05 23:31:27Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(524)c:\program files\SUPERAntiSpyware\SASWINLO.dllc:\windows\system32\igfxdev.dll.Completion time: 2009-04-05 23:33:25ComboFix-quarantined-files.txt 2009-04-06 03:33:20ComboFix2.txt 2009-03-30 22:05:28ComboFix3.txt 2009-03-29 23:53:54ComboFix4.txt 2009-03-27 03:30:45ComboFix5.txt 2009-04-06 03:30:23Pre-Run: 60,633,825,280 bytes freePost-Run: 60,617,560,064 bytes freeCurrent=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4343	--- E O F ---	2009-03-02 14:44:36


----------



## Cookiegal (Aug 27, 2003)

Sorry but I can't use it in that format. Please be sure word wrap is unchecked in Notepad under for format and then repost the log.


----------



## middling (Mar 10, 2009)

I don't understand - It was unchecked. I'll try agaain- hope it's ok

ComboFix 09-03-26.02 - Administrator 2009-04-05 23:31:02.10 - NTFSx86
Running from: c:\documents and settings\Administrator\Desktop\combofix.exe
Command switches used :: J:\CFScript.txt
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
FILE ::
c:\windows\system32\drivers\TDSSpqlt.sys
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqh.dll
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSpqlt.dat
c:\windows\system32\TDSSpqlt.dll
c:\windows\system32\TDSSpqlt.sys
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSStkdv.log
.
((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))
.
2009-04-02 20:02 . 2009-04-02 20:03 d-------- c:\windows\LastGood
2009-04-02 17:39 . 2009-04-02 17:39 d-------- c:\program files\SUPERAntiSpyware
2009-04-02 17:39 . 2009-04-02 17:39 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-02 17:39 . 2009-04-02 17:39 d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-04-02 17:38 . 2009-04-02 17:38 d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-26 23:17 . 2009-03-26 23:17 d-------- c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP
2009-03-26 23:04 . 2009-03-26 23:04 d-------- C:\combo-fix
2009-03-26 22:58 . 2009-03-26 22:58 d-------- c:\windows\system32\CatRoot2
2009-03-23 22:17 . 2009-03-23 22:17 d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-23 22:17 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-23 22:16 . 2009-03-23 22:17 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-23 22:16 . 2009-03-23 22:16 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-23 22:16 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-10 11:55 . 2009-03-10 11:55 d-------- c:\documents and settings\Administrator\Application Data\ParetoLogic
2009-03-10 11:54 . 2009-03-10 11:54 d-------- c:\program files\ParetoLogic
2009-03-10 11:54 . 2009-03-10 11:54 d-------- c:\program files\Common Files\ParetoLogic
2009-03-10 11:54 . 2009-03-10 11:54 d-------- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-03-10 11:54 . 2009-03-10 11:54 d-------- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-03-09 18:17 . 2009-03-10 23:30 d-------- c:\program files\RegCure
2009-03-08 22:58 . 2009-03-08 23:07 1,905 --a------ c:\windows\diagwrn.xml
2009-03-08 22:58 . 2009-03-08 23:07 1,905 --a------ c:\windows\diagerr.xml
2009-03-08 22:57 . 2009-03-08 22:57 d-------- c:\program files\Microsoft Windows OneCare Live
2009-03-08 21:41 . 2009-03-08 21:41 d-------- C:\oldregistry
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-18 05:17 --------- d-----w c:\program files\LimeWire
2009-03-18 05:15 --------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2009-02-18 05:46 --------- d-----w c:\program files\Hewlett-Packard
2009-02-18 05:45 --------- d-----w c:\program files\Click And Fix Trial
2009-02-18 05:43 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-18 05:43 --------- d-----w c:\program files\Common Files\ArcSoft
2009-02-18 05:43 --------- d-----w c:\program files\ArcSoft
2009-02-17 02:59 14,336 ----a-w c:\windows\system32\svchost.exe
2009-01-22 00:15 15,688 ----a-w c:\windows\system32\lsdelete.exe
.
------- Sigcheck -------
2003-03-31 10:00 12800 0f7d9c87b0ce1fa520473119752c6f79 c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-14 05:42 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\ServicePackFiles\i386\svchost.exe
2009-02-16 22:59 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\system32\svchost.exe
2009-02-16 22:59 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\system32\dllcache\svchost.exe
2003-03-31 10:00 560128 dd9269230c21ee8fb7fd3fccc3b1cfcb c:\windows\$NtServicePackUninstall$\user32.dll
2008-04-14 05:42 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\ServicePackFiles\i386\user32.dll
2008-04-14 05:42 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\system32\user32.dll
2003-03-31 10:00 75264 8529c295df59b564d37a73b5629162b1 c:\windows\$NtServicePackUninstall$\ws2_32.dll
2008-04-14 05:42 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\ServicePackFiles\i386\ws2_32.dll
2008-04-14 05:42 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\system32\ws2_32.dll
2008-06-23 12:01 827904 c66402a06b83b036c195242c0c8cf83c c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
2008-08-26 05:08 827904 77c192fe56a70d7fa0247ba0a6201c32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
2008-10-16 16:24 827904 0d5b75171ff51775b630a431b6c667e8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
2008-12-20 19:56 827904 044e0a4e9fe97c0fb9afe9c89e2a82e6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
2003-03-31 10:00 599040 f3587750a7481dccbea13d473a0700be c:\windows\$NtServicePackUninstall$\wininet.dll
2008-04-14 05:42 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\ie7\wininet.dll
2007-08-13 18:54 818688 a4a0fc92358f39538a6494c42ef99fe9 c:\windows\ie7updates\KB953838-IE7\wininet.dll
2008-06-23 12:57 826368 8c13d4a7479fa0a026eda8abce82c0ed c:\windows\ie7updates\KB956390-IE7\wininet.dll
2008-08-26 03:24 826368 ef8eba98145bfa44e80d17a3b3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
2008-04-14 05:42 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\ServicePackFiles\i386\wininet.dll
2008-06-23 12:57 826368 8c13d4a7479fa0a026eda8abce82c0ed c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2GDR\wininet.dll
2008-06-23 12:01 827904 c66402a06b83b036c195242c0c8cf83c c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2QFE\wininet.dll
2008-06-23 11:09 666112 f12fbb673de9cc802c5dc518fe99aa2f c:\windows\SoftwareDistribution\Download\1c0a4d9681e4b56278490848f7545aa5\sp3gdr\wininet.dll
2008-06-23 10:54 666624 972299b7241ec325d8c7e5638c884925 c:\windows\SoftwareDistribution\Download\1c0a4d9681e4b56278490848f7545aa5\sp3qfe\wininet.dll
2008-12-20 19:15 826368 a82935d32d0672e8ff4e91ae398e901c c:\windows\system32\wininet.dll
2008-12-20 19:15 826368 a82935d32d0672e8ff4e91ae398e901c c:\windows\system32\dllcache\wininet.dll
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2003-03-31 10:00 332928 244a2f9816bc9b593957281ef577d976 c:\windows\$NtServicePackUninstall$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\dllcache\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\drivers\tcpip.sys
2003-03-31 10:00 516608 2246d8d8f4714a2cedb21ab9b1849abb c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-14 05:42 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe
2008-04-14 05:42 507904 ed0ef0a136dec83df69f04118870003e c:\windows\system32\winlogon.exe
2003-03-31 10:00 167552 3b350e5a2a5e951453f3993275a4523a c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-14 00:50 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2008-04-14 00:50 182656 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys
2008-04-14 00:23 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\ServicePackFiles\i386\ip6fw.sys
2008-04-14 00:23 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\drivers\ip6fw.sys
2008-08-14 16:39 2066048 a25e9b86effb2af33bf51e676b68bfb0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
2003-03-31 10:00 1920512 71ff7ec0eeea4896dd219c661c90db29 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
2008-11-21 09:42 2023936 7f653a89f6e89e3ae0d49830eece35d4 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
2008-08-14 05:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\Driver Cache\i386\ntkrnlpa.exe
2008-04-14 00:01 2065792 109f8e3e3c82e337bb71b6bc9b895d61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
2008-08-14 05:33 2023936 8206b5f94a6a9450e934029420c1693f c:\windows\system32\ntkrnlpa.exe
2008-08-14 05:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\system32\dllcache\ntkrnlpa.exe
2008-08-14 17:11 2189184 31914172342bff330063f343ac6958fe c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
2003-03-31 10:00 1891840 25a90eb7d1eee12ab198dc9421bfa353 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
2008-11-21 09:42 2145280 40f8880122a030a7e9e1fedea833b33d c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
2008-08-14 06:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\Driver Cache\i386\ntoskrnl.exe
2008-04-14 00:57 2188928 0c89243c7c3ee199b96fcc16990e0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
2008-08-14 06:09 2145280 f6f8245b3a2e9ca834dd318e7ae0c6d0 c:\windows\system32\ntoskrnl.exe
2008-08-14 06:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\system32\dllcache\ntoskrnl.exe
2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\explorer.exe
2003-03-31 10:00 1004032 a82b28bfc2e4455fe43022a498c0ef0a c:\windows\$NtServicePackUninstall$\explorer.exe
2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\ServicePackFiles\i386\explorer.exe
2003-03-31 10:00 101376 e3df4a0252d287c44606ee55355e1623 c:\windows\$NtServicePackUninstall$\services.exe
2008-04-14 05:42 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\ServicePackFiles\i386\services.exe
2008-04-14 05:42 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\system32\services.exe
2003-03-31 10:00 11776 b2b6ba905d0e3f8a32a0eb3b4051807b c:\windows\$NtServicePackUninstall$\lsass.exe
2008-04-14 05:42 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\ServicePackFiles\i386\lsass.exe
2008-04-14 05:42 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\system32\lsass.exe
2003-03-31 10:00 13312 414de7cf9d3f19c3ea902f1bb38ec116 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 05:42 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-14 05:42 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\system32\ctfmon.exe
2003-03-31 10:00 51200 9b4155ba58192d4073082b8fc5d42612 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-14 05:42 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-14 05:42 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\system32\spoolsv.exe
2003-03-31 10:00 22016 e931e0a2b8bf0019db902e98d03662cb c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 05:42 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-14 05:42 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\system32\userinit.exe
2003-03-31 10:00 200192 fe84e045a09a4abc4deef7270448b64e c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-14 05:42 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-04-14 05:42 295424 ff3477c03be7201c294c35f684b3479f c:\windows\system32\termsrv.dll
2003-03-31 10:00 930304 8f162dc91d67d87c1a481bf602a9dac8 c:\windows\$NtServicePackUninstall$\kernel32.dll
2008-04-14 05:41 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\ServicePackFiles\i386\kernel32.dll
2008-04-14 05:41 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\system32\kernel32.dll
2003-03-31 10:00 14848 865ad7ccb20856727d5bd994b094dc5e c:\windows\$NtServicePackUninstall$\powrprof.dll
2008-04-14 05:42 17408 50a166237a0fa771261275a405646cc0 c:\windows\ServicePackFiles\i386\powrprof.dll
2008-04-14 05:42 17408 50a166237a0fa771261275a405646cc0 c:\windows\system32\powrprof.dll
2003-03-31 10:00 103936 c9f9e3e6b59c6d6cbce7f14494a4518a c:\windows\$NtServicePackUninstall$\imm32.dll
2008-04-14 05:41 110080 0da85218e92526972a821587e6a8bf8f c:\windows\ServicePackFiles\i386\imm32.dll
2008-04-14 05:41 110080 0da85218e92526972a821587e6a8bf8f c:\windows\system32\imm32.dll
.
((((((((((((((((((((((((((((( [email protected]_23.06.40.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-27 03:17:58 61,457 ----a-w c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP\WiseCustomCalla.dll
+ 2009-04-02 21:39:12 18,944 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2009-04-02 21:39:12 65,024 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-04-14 04:10:48 36,352 ----a-w c:\windows\LastGood\system32\drivers\disk.sys
+ 2008-04-14 04:15:40 26,368 ----a-w c:\windows\LastGood\system32\drivers\USBSTOR.SYS
+ 2009-04-02 23:57:59 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_48c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-28 136600]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-29 112216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 648504]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" [2008-05-01 131072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-21 507224]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
--a------ 2009-01-21 20:48 1591808 c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-21 942416]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-01-21 64160]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-04-18 204800]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]

--- Other Services/Drivers In Memory ---
*Deregistered* - AFD
*Deregistered* - Apple Mobile Device
*Deregistered* - Arp1394
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Bonjour Service
*Deregistered* - Cdfs
*Deregistered* - DcomLaunch
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - Fastfat
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - FontCache3.0.0.0
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - ImapiService
*Deregistered* - IpFilterDriver
*Deregistered* - IpNat
*Deregistered* - iPod Service
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - Kbdclass
*Deregistered* - KSecDD
*Deregistered* - Lavasoft Ad-Aware Service
*Deregistered* - Lbd
*Deregistered* - LightScribeService
*Deregistered* - LinksysUpdater
*Deregistered* - McAfeeFramework
*Deregistered* - McShield
*Deregistered* - McTaskManager
*Deregistered* - mfeapfk
*Deregistered* - mfeavfk
*Deregistered* - mfebopk
*Deregistered* - mfehidk
*Deregistered* - mferkdk
*Deregistered* - mfetdik
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - MSIServer
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PCIIde
*Deregistered* - pnarp
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - purendis
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SASDIFSV
*Deregistered* - SASENUM
*Deregistered* - SASKUTIL
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - Wanarp
*Deregistered* - WSearch
.
Contents of the 'Scheduled Tasks' folder
2009-02-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-21 20:14]
2008-12-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
2009-02-25 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]
2009-02-22 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.9.30.1.sxt [email protected] []
2009-03-10 c:\windows\Tasks\ParetoLogic Privacy Controls_{CC9FF4C6-0D8B-11DE-ABCE-000EA62D48F3}.job
- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 11:29]
2009-03-10 c:\windows\Tasks\ParetoLogic Privacy Controls_{CFB05A70-0D8B-11DE-ABCE-000EA62D48F3}.job
- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 11:29]
2009-03-10 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 12:25]
2009-03-09 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 13:58]
2009-03-09 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 13:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-05 23:31:27
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(524)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-04-05 23:33:25
ComboFix-quarantined-files.txt 2009-04-06 03:33:20
ComboFix2.txt 2009-03-30 22:05:28
ComboFix3.txt 2009-03-29 23:53:54
ComboFix4.txt 2009-03-27 03:30:45
ComboFix5.txt 2009-04-06 03:30:23
Pre-Run: 60,633,825,280 bytes free
Post-Run: 60,617,560,064 bytes free
Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
343 --- E O F --- 2009-03-02 14:44:36


----------



## Cookiegal (Aug 27, 2003)

ComboFix is too old so it's running in reduced functionality mode. Please drag it to the recycle bin and download the latest version and run the CFScript again and then post the log please.

Please visit *Combofix Guide & Instructions * for instructions for downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.


----------



## middling (Mar 10, 2009)

hope this is ok

ComboFix 09-04-04.01 - Administrator 2009-04-08 0:12:47.11 - NTFSx86
Running from: J:\combofix.exe
Command switches used :: J:\CFScript.txt
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
c:\windows\system32\drivers\TDSSpqlt.sys
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqh.dll
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSpqlt.dat
c:\windows\system32\TDSSpqlt.dll
c:\windows\system32\TDSSpqlt.sys
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSStkdv.log
.
((((((((((((((((((((((((( Files Created from 2009-03-08 to 2009-04-08 )))))))))))))))))))))))))))))))
.
2009-04-08 00:10 . 2009-04-08 00:10 389,120 --a------ c:\windows\system32\CF1798.exe
2009-04-02 17:39 . 2009-04-02 17:39 d-------- c:\program files\SUPERAntiSpyware
2009-04-02 17:39 . 2009-04-02 17:39 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-02 17:39 . 2009-04-02 17:39 d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-04-02 17:38 . 2009-04-02 17:38 d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-26 23:17 . 2009-03-26 23:17 d-------- c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP
2009-03-26 23:04 . 2009-03-26 23:04 d-------- C:\combo-fix
2009-03-26 22:58 . 2009-03-26 22:58 d-------- c:\windows\system32\CatRoot2
2009-03-23 22:17 . 2009-03-23 22:17 d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-23 22:17 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-23 22:16 . 2009-03-23 22:17 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-23 22:16 . 2009-03-23 22:16 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-23 22:16 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-10 11:55 . 2009-03-10 11:55 d-------- c:\documents and settings\Administrator\Application Data\ParetoLogic
2009-03-10 11:54 . 2009-03-10 11:54 d-------- c:\program files\ParetoLogic
2009-03-10 11:54 . 2009-03-10 11:54 d-------- c:\program files\Common Files\ParetoLogic
2009-03-10 11:54 . 2009-03-10 11:54 d-------- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-03-10 11:54 . 2009-03-10 11:54 d-------- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-03-09 18:17 . 2009-03-10 23:30 d-------- c:\program files\RegCure
2009-03-08 22:58 . 2009-03-08 23:07 1,905 --a------ c:\windows\diagwrn.xml
2009-03-08 22:58 . 2009-03-08 23:07 1,905 --a------ c:\windows\diagerr.xml
2009-03-08 22:57 . 2009-03-08 22:57 d-------- c:\program files\Microsoft Windows OneCare Live
2009-03-08 21:41 . 2009-03-08 21:41 d-------- C:\oldregistry
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-18 05:17 --------- d-----w c:\program files\LimeWire
2009-03-18 05:15 --------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2009-02-18 05:46 --------- d-----w c:\program files\Hewlett-Packard
2009-02-18 05:45 --------- d-----w c:\program files\Click And Fix Trial
2009-02-18 05:43 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-18 05:43 --------- d-----w c:\program files\Common Files\ArcSoft
2009-02-18 05:43 --------- d-----w c:\program files\ArcSoft
2009-02-17 02:59 14,336 ----a-w c:\windows\system32\svchost.exe
2009-01-22 00:15 15,688 ----a-w c:\windows\system32\lsdelete.exe
.
------- Sigcheck -------
2003-03-31 10:00 12800 0f7d9c87b0ce1fa520473119752c6f79 c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-14 05:42 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\ServicePackFiles\i386\svchost.exe
2009-02-16 22:59 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\system32\svchost.exe
2009-02-16 22:59 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\system32\dllcache\svchost.exe
2003-03-31 10:00 560128 dd9269230c21ee8fb7fd3fccc3b1cfcb c:\windows\$NtServicePackUninstall$\user32.dll
2008-04-14 05:42 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\ServicePackFiles\i386\user32.dll
2008-04-14 05:42 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\system32\user32.dll
2003-03-31 10:00 75264 8529c295df59b564d37a73b5629162b1 c:\windows\$NtServicePackUninstall$\ws2_32.dll
2008-04-14 05:42 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\ServicePackFiles\i386\ws2_32.dll
2008-04-14 05:42 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\system32\ws2_32.dll
2008-06-23 12:01 827904 c66402a06b83b036c195242c0c8cf83c c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
2008-08-26 05:08 827904 77c192fe56a70d7fa0247ba0a6201c32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
2008-10-16 16:24 827904 0d5b75171ff51775b630a431b6c667e8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
2008-12-20 19:56 827904 044e0a4e9fe97c0fb9afe9c89e2a82e6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
2003-03-31 10:00 599040 f3587750a7481dccbea13d473a0700be c:\windows\$NtServicePackUninstall$\wininet.dll
2008-04-14 05:42 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\ie7\wininet.dll
2007-08-13 18:54 818688 a4a0fc92358f39538a6494c42ef99fe9 c:\windows\ie7updates\KB953838-IE7\wininet.dll
2008-06-23 12:57 826368 8c13d4a7479fa0a026eda8abce82c0ed c:\windows\ie7updates\KB956390-IE7\wininet.dll
2008-08-26 03:24 826368 ef8eba98145bfa44e80d17a3b3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
2008-04-14 05:42 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\ServicePackFiles\i386\wininet.dll
2008-06-23 12:57 826368 8c13d4a7479fa0a026eda8abce82c0ed c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2GDR\wininet.dll
2008-06-23 12:01 827904 c66402a06b83b036c195242c0c8cf83c c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2QFE\wininet.dll
2008-06-23 11:09 666112 f12fbb673de9cc802c5dc518fe99aa2f c:\windows\SoftwareDistribution\Download\1c0a4d9681e4b56278490848f7545aa5\sp3gdr\wininet.dll
2008-06-23 10:54 666624 972299b7241ec325d8c7e5638c884925 c:\windows\SoftwareDistribution\Download\1c0a4d9681e4b56278490848f7545aa5\sp3qfe\wininet.dll
2008-12-20 19:15 826368 a82935d32d0672e8ff4e91ae398e901c c:\windows\system32\wininet.dll
2008-12-20 19:15 826368 a82935d32d0672e8ff4e91ae398e901c c:\windows\system32\dllcache\wininet.dll
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2003-03-31 10:00 332928 244a2f9816bc9b593957281ef577d976 c:\windows\$NtServicePackUninstall$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\dllcache\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\drivers\tcpip.sys
2003-03-31 10:00 516608 2246d8d8f4714a2cedb21ab9b1849abb c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-14 05:42 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe
2008-04-14 05:42 507904 ed0ef0a136dec83df69f04118870003e c:\windows\system32\winlogon.exe
2003-03-31 10:00 167552 3b350e5a2a5e951453f3993275a4523a c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-14 00:50 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2008-04-14 00:50 182656 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys
2008-04-14 00:23 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\ServicePackFiles\i386\ip6fw.sys
2008-04-14 00:23 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\drivers\ip6fw.sys
2008-08-14 16:39 2066048 a25e9b86effb2af33bf51e676b68bfb0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
2003-03-31 10:00 1920512 71ff7ec0eeea4896dd219c661c90db29 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
2008-11-21 09:42 2023936 7f653a89f6e89e3ae0d49830eece35d4 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
2008-08-14 05:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\Driver Cache\i386\ntkrnlpa.exe
2008-04-14 00:01 2065792 109f8e3e3c82e337bb71b6bc9b895d61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
2008-08-14 05:33 2023936 8206b5f94a6a9450e934029420c1693f c:\windows\system32\ntkrnlpa.exe
2008-08-14 05:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\system32\dllcache\ntkrnlpa.exe
2008-08-14 17:11 2189184 31914172342bff330063f343ac6958fe c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
2003-03-31 10:00 1891840 25a90eb7d1eee12ab198dc9421bfa353 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
2008-11-21 09:42 2145280 40f8880122a030a7e9e1fedea833b33d c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
2008-08-14 06:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\Driver Cache\i386\ntoskrnl.exe
2008-04-14 00:57 2188928 0c89243c7c3ee199b96fcc16990e0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
2008-08-14 06:09 2145280 f6f8245b3a2e9ca834dd318e7ae0c6d0 c:\windows\system32\ntoskrnl.exe
2008-08-14 06:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\system32\dllcache\ntoskrnl.exe
2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\explorer.exe
2003-03-31 10:00 1004032 a82b28bfc2e4455fe43022a498c0ef0a c:\windows\$NtServicePackUninstall$\explorer.exe
2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\ServicePackFiles\i386\explorer.exe
2003-03-31 10:00 101376 e3df4a0252d287c44606ee55355e1623 c:\windows\$NtServicePackUninstall$\services.exe
2008-04-14 05:42 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\ServicePackFiles\i386\services.exe
2008-04-14 05:42 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\system32\services.exe
2003-03-31 10:00 11776 b2b6ba905d0e3f8a32a0eb3b4051807b c:\windows\$NtServicePackUninstall$\lsass.exe
2008-04-14 05:42 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\ServicePackFiles\i386\lsass.exe
2008-04-14 05:42 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\system32\lsass.exe
2003-03-31 10:00 13312 414de7cf9d3f19c3ea902f1bb38ec116 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 05:42 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-14 05:42 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\system32\ctfmon.exe
2003-03-31 10:00 51200 9b4155ba58192d4073082b8fc5d42612 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-14 05:42 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-14 05:42 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\system32\spoolsv.exe
2003-03-31 10:00 22016 e931e0a2b8bf0019db902e98d03662cb c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 05:42 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-14 05:42 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\system32\userinit.exe
2003-03-31 10:00 200192 fe84e045a09a4abc4deef7270448b64e c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-14 05:42 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-04-14 05:42 295424 ff3477c03be7201c294c35f684b3479f c:\windows\system32\termsrv.dll
2003-03-31 10:00 930304 8f162dc91d67d87c1a481bf602a9dac8 c:\windows\$NtServicePackUninstall$\kernel32.dll
2008-04-14 05:41 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\ServicePackFiles\i386\kernel32.dll
2008-04-14 05:41 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\system32\kernel32.dll
2003-03-31 10:00 14848 865ad7ccb20856727d5bd994b094dc5e c:\windows\$NtServicePackUninstall$\powrprof.dll
2008-04-14 05:42 17408 50a166237a0fa771261275a405646cc0 c:\windows\ServicePackFiles\i386\powrprof.dll
2008-04-14 05:42 17408 50a166237a0fa771261275a405646cc0 c:\windows\system32\powrprof.dll
2003-03-31 10:00 103936 c9f9e3e6b59c6d6cbce7f14494a4518a c:\windows\$NtServicePackUninstall$\imm32.dll
2008-04-14 05:41 110080 0da85218e92526972a821587e6a8bf8f c:\windows\ServicePackFiles\i386\imm32.dll
2008-04-14 05:41 110080 0da85218e92526972a821587e6a8bf8f c:\windows\system32\imm32.dll
.
((((((((((((((((((((((((((((( [email protected]_23.06.40.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-27 03:17:58 61,457 ----a-w c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP\WiseCustomCalla.dll
+ 2009-04-02 21:39:12 18,944 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2009-04-02 21:39:12 65,024 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-04-08 03:05:29 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_438.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-28 136600]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-29 112216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 648504]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" [2008-05-01 131072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-21 507224]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
--a------ 2009-01-21 20:48 1591808 c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-01-21 64160]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-21 942416]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-04-18 204800]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]

--- Other Services/Drivers In Memory ---
*Deregistered* - AFD
*Deregistered* - Apple Mobile Device
*Deregistered* - Arp1394
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Bonjour Service
*Deregistered* - Cdfs
*Deregistered* - DcomLaunch
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - Fastfat
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - ImapiService
*Deregistered* - IpFilterDriver
*Deregistered* - IpNat
*Deregistered* - iPod Service
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - Kbdclass
*Deregistered* - KSecDD
*Deregistered* - Lavasoft Ad-Aware Service
*Deregistered* - Lbd
*Deregistered* - LightScribeService
*Deregistered* - LinksysUpdater
*Deregistered* - McAfeeFramework
*Deregistered* - McShield
*Deregistered* - McTaskManager
*Deregistered* - mfeapfk
*Deregistered* - mfeavfk
*Deregistered* - mfebopk
*Deregistered* - mfehidk
*Deregistered* - mferkdk
*Deregistered* - mfetdik
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PCIIde
*Deregistered* - pnarp
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - purendis
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SASDIFSV
*Deregistered* - SASENUM
*Deregistered* - SASKUTIL
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - Wanarp
*Deregistered* - WSearch
.
Contents of the 'Scheduled Tasks' folder
2009-02-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-21 20:14]
2008-12-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
2009-02-25 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]
2009-02-22 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.9.30.1.sxt [email protected] []
2009-03-10 c:\windows\Tasks\ParetoLogic Privacy Controls_{CC9FF4C6-0D8B-11DE-ABCE-000EA62D48F3}.job
- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 11:29]
2009-03-10 c:\windows\Tasks\ParetoLogic Privacy Controls_{CFB05A70-0D8B-11DE-ABCE-000EA62D48F3}.job
- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 11:29]
2009-03-10 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 12:25]
2009-03-09 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 13:58]
2009-03-09 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 13:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-08 00:14:35
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(528)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-04-08 0:16:51
ComboFix-quarantined-files.txt 2009-04-08 04:16:46
ComboFix2.txt 2009-04-06 03:33:26
ComboFix3.txt 2009-03-30 22:05:28
ComboFix4.txt 2009-03-29 23:53:54
ComboFix5.txt 2009-04-08 04:10:27
Pre-Run: 60,643,516,416 bytes free
Post-Run: 60,627,505,152 bytes free
Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
336 --- E O F --- 2009-03-02 14:44:36


----------



## Cookiegal (Aug 27, 2003)

ComboFix is showing a lot of critical system files are failing the signature check and that could mean either they are patched by malware or there's a problem with the Catroot2 folder and/or Cryptographic Services.

Let's check some files for malware please:

Go to the following link and upload the following file(s) for analysis and let me know what the results are please:

http://virusscan.jotti.org/

c:\windows\system32\svchost.exe
c:\windows\system32\user32.dll
c:\windows\system32\winlogon.exe
c:\windows\system32\ntkrnlpa.exe

Also, check to make sure Cryptographic Services is running. To do that go to *Start *- *Run *- type in* services.msc *and click* OK*. Now, from the lisst there scroll down to *Cryptographic Services *and double click on it to open it up. Let me know if the Service status shows as started and the Startup Type shows as Automatic please.


----------



## middling (Mar 10, 2009)

Hi CG. I'm not sure what you want me to do. Remember ,I have no internet on the infected computer. Can I download this program from my other pc and load it onto thev infected machine to check these files? I will check "services" tomorrow and get back to you.


----------



## Cookiegal (Aug 27, 2003)

If you bypass the router, can you connect? Be sure the firewall is on before doing that and only do it for a short time as a test.


----------



## middling (Mar 10, 2009)

No- tried that many times before and once just recently. The problem is in the computer. I can't connect without an ip address or gateway or HDCP file. Can I transfer those files to a connected computer by usb drive and then scan them through Jotti? A friend suggested this as a possibility.


----------



## Cookiegal (Aug 27, 2003)

Yes, you could do that but then you risk infecting the other computer.

Be sure to unhide files and search for this file:

*rasphone.pbk*

Then open it up in Notepad and copy and paste the contents here please.


----------



## middling (Mar 10, 2009)

would I negate or at least minimize the risk of infection by renaming the file extensions with something like .xexe before transfering to the net-enabled PC? Or do you think the risk is minimal and not worth worrying about?


----------



## Cookiegal (Aug 27, 2003)

Please drag ComboFix to the recycle bin and grab a new one the same way you did before.

Please visit *Combofix Guide & Instructions * for instructions for downloading and running ComboFix.


----------



## Cookiegal (Aug 27, 2003)

middling said:


> would I negate or at least minimize the risk of infection by renaming the file extensions with something like .xexe before transfering to the net-enabled PC? Or do you think the risk is minimal and not worth worrying about?


Let's try something else first. Also, you didn't post the information I requested above in post no. 70.


----------



## middling (Mar 10, 2009)

Hi CG - Don't know if I did it right. I unhid files in the folder section of control panel and searched for rasphone.pbk but I got no results back. Is there some other way to search?


----------



## middling (Mar 10, 2009)

I forgot to tell you. "cryptographic services" does not even exist in my services file. It is missing along with the DHSC file I suppose. I downloaded another combofix and installed it.


----------



## Cookiegal (Aug 27, 2003)

Do you have your XP installation CD?


----------



## middling (Mar 10, 2009)

Unfortunately not. I got the computer at a garage sale!!!!


----------



## Cookiegal (Aug 27, 2003)

Well if those services are indeed missing, you may have done some damage with a registry cleaner. I see RegCure there and I would uninstall that as those programs often cause more harm than good.

Download *OTScanIt2.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *OTScanIt2* on your desktop.

Close any open browsers.
Open the *OTScanit2* folder and double-click on *OTScanit2.exe* to start the program.
If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
In the *Processes * group click *ALL* 
In the * Services * group click *Safe List* 
In the *Drivers* group click *Safe List* 
In the *Registry * group click *ALL*
In the *Rootkit Search* group select *YES* 
In the *Files Age* drop down box click *60 days* 
Make sure *Use White List *and *Include All Unicode Names *boxes are checked
 In the Files Created and Files Modified groups select *Whitelist/File age *
in the *Additional scans sections* please press select * Everything *and make sure Safe List box is checked
Now on the toolbar at the top select "Scan all users" then click the *Run Scan* button
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file 
Use the * Reply* button and *attach the notepad file here*. I will review it when it comes in. 

It will be much too big so you will need to zip the file before it will be able to be uploaded


----------



## middling (Mar 10, 2009)

Hi CG. Tried to download from that site but it wont even connect to the site. Tried to find the file on Bleepingcpmputer.com- no luck- I did a search there and no response. I googled the file but I'm wary of downloading from any site not CG recommended. Any others?


----------



## middling (Mar 10, 2009)

OK I finally got it by downloading Firefox first. I uploaded the file as an attachment. Hope I did it OK. Thanks again.


----------



## Cookiegal (Aug 27, 2003)

It looks like you forgot to attach it.


----------



## middling (Mar 10, 2009)

Hope its right this time. I uploaded the file through the attachment module on this window. It should be there. If not please advise how. Sorry


----------



## Cookiegal (Aug 27, 2003)

I'm attaching a Fixmiddling.zip file. Save it to your desktop. Unzip it and double-click the Fixmiddling.reg file and allow it to merge into the registry.

*Click here* to download ATF Cleaner by Atribune and save it to your desktop.
Double-click *ATF-Cleaner.exe* to run the program.
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
*If you use Firefox:*
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


*If you use Opera:*
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*
[*]NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


Click *Exit* on the Main menu to close the program.

Reboot the machine and let me know if there's any improvement.


----------



## Cookiegal (Aug 27, 2003)

Also, please do the following:

Please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "Application" and "System" for recent (the last 48 hours or so) errors (shown in red) and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## middling (Mar 10, 2009)

Thanks CG, Won't be at my PCtill tomoeeow night. Will post then.


----------



## Cookiegal (Aug 27, 2003)

OK, that's fine.


----------



## middling (Mar 10, 2009)

Hi CG. I did everything asked and I'm afraid I still have no connection or any noticeable difference. Eventvwr produced no errors in System and none in application since the 12trh of this month which I copied for you perusal . I also copied some interesting warnings. The temp file deletion has occurred on a few different days. BTW , I bought Regcure as a reult of a google search to find a solution to my problem. Regcure touted itself as a cure for " missing DCHP file". When it didn't work I asked for a refund. I have not as yet deleted it because I have been following your instructions to the letter- I will delete it now. I don't know if this is germain to the problem but I did a search for i386 files and found nothing!
Thanks again- you're a very patient lady!

Event Type: Error
Event Source: McLogEvent
Event Category: None
Event ID: 259
Date: 12/04/2009
Time: 8:40:59 PM
User: NT AUTHORITY\SYSTEM
Computer: PC
Description:
The file C:\Documents and Settings\Administrator\Local Settings\Temp\Av-test.txt contains the EICAR test file Test. No cleaner available, file deleted successfully. Detected using Scan engine version 5300.2777 DAT version 5540.0000.

Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 16/04/2009
Time: 9:56:59 PM
User: NT AUTHORITY\SYSTEM
Computer: PC
Description:
Windows saved user PC\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. 
This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1524
Date: 16/04/2009
Time: 9:56:59 PM
User: PC\Administrator
Computer: PC
Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: McLogEvent
Event Category: None
Event ID: 258
Date: 14/04/2009
Time: 7:42:41 PM
User: NT AUTHORITY\SYSTEM
Computer: PC
Description:
The file C:\Documents and Settings\Administrator\Local Settings\Temp\fkrvehqs.dll contains Generic.dx Trojan. The file was successfully deleted.

Event Type: Warning
Event Source: McLogEvent
Event Category: None
Event ID: 258
Date: 14/04/2009
Time: 7:42:41 PM
User: NT AUTHORITY\SYSTEM
Computer: PC
Description:
The file C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\FKRVEHQS.DLL contains Generic.dx Trojan. The file was successfully deleted.


----------



## Cookiegal (Aug 27, 2003)

Please delete ComboFix by dragging it to the recycle bin and then grab the latest version and post a new scan log.

Please visit *Combofix Guide & Instructions * for instructions for downloading and running ComboFix.

Be sure to disable all security programs when running ComboFix, as you did before.


----------



## middling (Mar 10, 2009)

thanks CG- will not be at my pc till late Sun night. Will post then.


----------



## Cookiegal (Aug 27, 2003)

OK, that's fine.


----------



## middling (Mar 10, 2009)

Hi CG. Beautiful Quebec day! Here's the latest combofix file.

ComboFix 09-04-20.02 - Administrator 19/04/2009 23:01.13 - NTFSx86
Running from: J:\combofix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 )))))))))))))))))))))))))))))))
.
2009-04-02 21:39 . 2009-04-02 21:39 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-02 21:39 . 2009-04-02 21:39 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-03-27 03:17 . 2009-03-27 03:17 -------- d-----w c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP
2009-03-27 03:04 . 2009-03-27 03:04 -------- d-----w C:\combo-fix
2009-03-27 02:58 . 2009-03-27 02:58 -------- d-----w c:\windows\system32\CatRoot2
2009-03-24 02:17 . 2009-03-24 02:17 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-24 02:17 . 2009-02-11 14:19 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-24 02:16 . 2009-02-11 14:19 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-24 02:16 . 2009-03-24 02:16 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-17 02:29 . 2009-01-22 03:07 20847 ----a-w C:\aaw7boot.log
2009-04-02 21:39 . 2009-04-02 21:39 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-02 21:38 . 2009-04-02 21:38 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-24 02:17 . 2009-03-24 02:16 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-18 05:17 . 2009-01-02 00:57 -------- d-----w c:\program files\LimeWire
2009-03-18 05:15 . 2009-01-02 00:58 -------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2009-03-17 16:11 . 2008-12-09 00:37 3061 ----a-w C:\hpfr5100.log
2009-03-10 15:55 . 2009-03-10 15:55 -------- d-----w c:\documents and settings\Administrator\Application Data\ParetoLogic
2009-03-10 15:54 . 2009-03-10 15:54 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic
2009-03-10 15:54 . 2009-03-10 15:54 -------- d-----w c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-03-09 02:57 . 2009-03-09 02:57 -------- d-----w c:\program files\Microsoft Windows OneCare Live
2009-03-05 21:09 . 2009-03-05 21:09 7977 ----a-w C:\resetlog.txt
2009-02-17 02:59 . 2003-03-31 14:00 14336 ----a-w c:\windows\system32\svchost.exe
2009-01-22 03:02 . 2009-01-22 03:02 2 ----a-w C:\-520583248
2009-01-22 00:15 . 2009-01-22 00:51 15688 ----a-w c:\windows\system32\lsdelete.exe
2008-12-29 04:45 . 2008-10-06 13:28 43872 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
------- Sigcheck -------
[-] 2003-03-31 14:00 12800 0F7D9C87B0CE1FA520473119752C6F79 c:\windows\$NtServicePackUninstall$\svchost.exe
[-] 2008-04-14 09:42 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2009-02-17 02:59 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe
[-] 2009-02-17 02:59 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\dllcache\svchost.exe
[-] 2003-03-31 14:00 560128 DD9269230C21EE8FB7FD3FCCC3B1CFCB c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2008-04-14 09:42 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 09:42 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll
[-] 2003-03-31 14:00 75264 8529C295DF59B564D37A73B5629162B1 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[-] 2008-04-14 09:42 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2008-04-14 09:42 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll
[-] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[-] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[-] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[-] 2008-12-20 23:56 827904 044E0A4E9FE97C0FB9AFE9C89E2A82E6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[-] 2003-03-31 14:00 599040 F3587750A7481DCCBEA13D473A0700BE c:\windows\$NtServicePackUninstall$\wininet.dll
[-] 2008-04-14 09:42 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ie7\wininet.dll
[-] 2007-08-13 22:54 818688 A4A0FC92358F39538A6494C42EF99FE9 c:\windows\ie7updates\KB953838-IE7\wininet.dll
[-] 2008-06-23 16:57 826368 8C13D4A7479FA0A026EDA8ABCE82C0ED c:\windows\ie7updates\KB956390-IE7\wininet.dll
[-] 2008-08-26 07:24 826368 EF8EBA98145BFA44E80D17A3B3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
[-] 2008-04-14 09:42 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ServicePackFiles\i386\wininet.dll
[-] 2008-06-23 16:57 826368 8C13D4A7479FA0A026EDA8ABCE82C0ED c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2GDR\wininet.dll
[-] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2QFE\wininet.dll
[-] 2008-06-23 15:09 666112 F12FBB673DE9CC802C5DC518FE99AA2F c:\windows\SoftwareDistribution\Download\1c0a4d9681e4b56278490848f7545aa5\sp3gdr\wininet.dll
[-] 2008-06-23 14:54 666624 972299B7241EC325D8C7E5638C884925 c:\windows\SoftwareDistribution\Download\1c0a4d9681e4b56278490848f7545aa5\sp3qfe\wininet.dll
[-] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\system32\wininet.dll
[-] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\system32\dllcache\wininet.dll
[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2003-03-31 14:00 332928 244A2F9816BC9B593957281EF577D976 c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2008-04-14 04:50 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-14 04:50 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\drivers\tcpip.sys
[-] 2003-03-31 14:00 516608 2246D8D8F4714A2CEDB21AB9B1849ABB c:\windows\$NtServicePackUninstall$\winlogon.exe
[-] 2008-04-14 09:42 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 09:42 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe
[-] 2003-03-31 14:00 167552 3B350E5A2A5E951453F3993275A4523A c:\windows\$NtServicePackUninstall$\ndis.sys
[-] 2008-04-14 04:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2008-04-14 04:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys
[-] 2008-04-14 04:23 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys
[-] 2008-04-14 04:23 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys
[-] 2008-08-14 20:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2003-03-31 14:00 1920512 71FF7EC0EEEA4896DD219C661C90DB29 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[-] 2008-11-21 13:42 2023936 7F653A89F6E89E3AE0D49830EECE35D4 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[-] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2008-04-14 04:01 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[-] 2008-08-14 09:33 2023936 8206B5F94A6A9450E934029420C1693F c:\windows\system32\ntkrnlpa.exe
[-] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\system32\dllcache\ntkrnlpa.exe
[-] 2008-08-14 21:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2003-03-31 14:00 1891840 25A90EB7D1EEE12AB198DC9421BFA353 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[-] 2008-11-21 13:42 2145280 40F8880122A030A7E9E1FEDEA833B33D c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[-] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2008-04-14 04:57 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[-] 2008-08-14 10:09 2145280 F6F8245B3A2E9CA834DD318E7AE0C6D0 c:\windows\system32\ntoskrnl.exe
[-] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\system32\dllcache\ntoskrnl.exe
[-] 2008-04-14 09:42 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\explorer.exe
[-] 2003-03-31 14:00 1004032 A82B28BFC2E4455FE43022A498C0EF0A c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2008-04-14 09:42 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2003-03-31 14:00 101376 E3DF4A0252D287C44606EE55355E1623 c:\windows\$NtServicePackUninstall$\services.exe
[-] 2008-04-14 09:42 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\ServicePackFiles\i386\services.exe
[-] 2008-04-14 09:42 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\system32\services.exe
[-] 2003-03-31 14:00 11776 B2B6BA905D0E3F8A32A0EB3B4051807B c:\windows\$NtServicePackUninstall$\lsass.exe
[-] 2008-04-14 09:42 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 09:42 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe
[-] 2003-03-31 14:00 13312 414DE7CF9D3F19C3EA902F1BB38EC116 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2008-04-14 09:42 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 09:42 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\ctfmon.exe
[-] 2003-03-31 14:00 51200 9B4155BA58192D4073082B8FC5D42612 c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2008-04-14 09:42 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 09:42 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\spoolsv.exe
[-] 2003-03-31 14:00 22016 E931E0A2B8BF0019DB902E98D03662CB c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2008-04-14 09:42 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 09:42 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\userinit.exe
[-] 2003-03-31 14:00 200192 FE84E045A09A4ABC4DEEF7270448B64E c:\windows\$NtServicePackUninstall$\termsrv.dll
[-] 2008-04-14 09:42 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-04-14 09:42 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\termsrv.dll
[-] 2003-03-31 14:00 930304 8F162DC91D67D87C1A481BF602A9DAC8 c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2008-04-14 09:41 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2008-04-14 09:41 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\system32\kernel32.dll
[-] 2003-03-31 14:00 14848 865AD7CCB20856727D5BD994B094DC5E c:\windows\$NtServicePackUninstall$\powrprof.dll
[-] 2008-04-14 09:42 17408 50A166237A0FA771261275A405646CC0 c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2008-04-14 09:42 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll
[-] 2003-03-31 14:00 103936 C9F9E3E6B59C6D6CBCE7F14494A4518A c:\windows\$NtServicePackUninstall$\imm32.dll
[-] 2008-04-14 09:41 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\ServicePackFiles\i386\imm32.dll
[-] 2008-04-14 09:41 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll
[-] 2003-03-31 14:00 1157632 2564949DBE5F643F50913BBE45D346E2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[-] 2008-04-14 09:42 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[-] 2008-04-14 09:42 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( [email protected]_20.44.05.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-17 02:29 . 2009-04-17 02:29 16384 c:\windows\Temp\Perflib_Perfdata_494.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-29 136600]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-29 112216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 648504]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" [2008-05-01 131072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-22 507224]
"LTMSG"="LTMSG.exe" - c:\windows\ltmsg.exe [2003-07-14 40960]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-22 942416]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-01-22 64160]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-04-18 204800]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]

--- Other Services/Drivers In Memory ---
*Deregistered* - AFD
*Deregistered* - Apple Mobile Device
*Deregistered* - Arp1394
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Bonjour Service
*Deregistered* - Cdfs
*Deregistered* - DcomLaunch
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - Fastfat
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - ImapiService
*Deregistered* - IpFilterDriver
*Deregistered* - IpNat
*Deregistered* - iPod Service
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - Kbdclass
*Deregistered* - KSecDD
*Deregistered* - Lavasoft Ad-Aware Service
*Deregistered* - Lbd
*Deregistered* - LightScribeService
*Deregistered* - LinksysUpdater
*Deregistered* - McAfeeFramework
*Deregistered* - McShield
*Deregistered* - McTaskManager
*Deregistered* - mfeapfk
*Deregistered* - mfeavfk
*Deregistered* - mfebopk
*Deregistered* - mfehidk
*Deregistered* - mferkdk
*Deregistered* - mfetdik
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - MSIServer
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PCIIde
*Deregistered* - pnarp
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - purendis
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SASDIFSV
*Deregistered* - SASENUM
*Deregistered* - SASKUTIL
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - Wanarp
*Deregistered* - WSearch
.
Contents of the 'Scheduled Tasks' folder
2009-02-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 00:14]
2008-12-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2009-02-25 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 23:03
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(520)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\igfxdev.dll
- - - - - - - > 'explorer.exe'(444)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-20 23:05
ComboFix-quarantined-files.txt 2009-04-20 03:05
ComboFix2.txt 2009-04-13 00:45
ComboFix3.txt 2009-04-08 04:16
ComboFix4.txt 2009-04-06 03:33
ComboFix5.txt 2009-04-20 03:00
Pre-Run: 60,733,513,728 bytes free
Post-Run: 60,720,955,392 bytes free
Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
306 --- E O F --- 2009-03-02 14:44


----------



## Cookiegal (Aug 27, 2003)

Please run GMER again. Here are the instructions again in case you don't still have it from before.

Download GMER from: http://gmer.net/index.php

Save it on your desktop and unzip it.

Double click the gmer.exe to run it and select the rootkit tab and press scan. When the scan is done, click *Copy*. This will copy the report to the clipboard. Paste it into Notepad and save it and also paste the log report back here please.


----------



## middling (Mar 10, 2009)

Here's the gmer log as requested.

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-20 22:42:05
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF76BF87E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF76BFC10]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF5A81DF0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF2C932F1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF2C9331D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF2C932C7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF2C93307]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF2C93349]
Code \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys pIofCallDriver
---- Kernel code sections - GMER 1.0.15 ----
PAGE ntoskrnl.exe!ZwOpenKey 80572BF4 5 Bytes JMP F2C932CB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 8058E695 5 Bytes JMP F2C9334D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80591F8B 7 Bytes JMP F2C93321 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80593334 7 Bytes JMP F2C932F5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 80655B56 7 Bytes JMP F2C9330B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys  The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\SearchIndexer.exe[128] kernel32.dll!WriteFile 7C810E17 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet001\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet001\Services\[email protected]  \systemroot\system32\drivers\TDSSpqlt.sys
Reg HKLM\SYSTEM\ControlSet001\Services\[email protected] file system
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules 
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\drivers\TDSSpqlt.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSoiqt.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSpqlt.dat
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSoiqh.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSpqlt.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSScfum.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSsihc.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSrhym.log
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSStkdv.log
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] \systemroot\system32\drivers\TDSSpqlt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] file system
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules 
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\drivers\TDSSpqlt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSoiqt.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSpqlt.dat
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSoiqh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSpqlt.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSScfum.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSsihc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSrhym.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSStkdv.log
---- EOF - GMER 1.0.15 ----


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the code box below into it:


```
Driver::
TDSSserv

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv.sys]
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## middling (Mar 10, 2009)

Hi CG . Heer's the two reports you requested.

ComboFix 09-04-20.02 - Administrator 21/04/2009 18:59.14 - NTFSx86
Running from: J:\combofix.exe
Command switches used :: J:\cfscript.txt.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2009-03-21 to 2009-04-21 )))))))))))))))))))))))))))))))
.
2009-04-02 21:39 . 2009-04-02 21:39 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-02 21:39 . 2009-04-02 21:39 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-03-27 03:17 . 2009-03-27 03:17 -------- d-----w c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP
2009-03-27 03:04 . 2009-03-27 03:04 -------- d-----w C:\combo-fix
2009-03-27 02:58 . 2009-03-27 02:58 -------- d-----w c:\windows\system32\CatRoot2
2009-03-24 02:17 . 2009-03-24 02:17 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-24 02:17 . 2009-02-11 14:19 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-24 02:16 . 2009-02-11 14:19 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-24 02:16 . 2009-03-24 02:16 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-17 02:29 . 2009-01-22 03:07 20847 ----a-w C:\aaw7boot.log
2009-04-02 21:39 . 2009-04-02 21:39 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-02 21:38 . 2009-04-02 21:38 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-24 02:17 . 2009-03-24 02:16 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-18 05:17 . 2009-01-02 00:57 -------- d-----w c:\program files\LimeWire
2009-03-18 05:15 . 2009-01-02 00:58 -------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2009-03-17 16:11 . 2008-12-09 00:37 3061 ----a-w C:\hpfr5100.log
2009-03-10 15:55 . 2009-03-10 15:55 -------- d-----w c:\documents and settings\Administrator\Application Data\ParetoLogic
2009-03-10 15:54 . 2009-03-10 15:54 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic
2009-03-10 15:54 . 2009-03-10 15:54 -------- d-----w c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-03-09 02:57 . 2009-03-09 02:57 -------- d-----w c:\program files\Microsoft Windows OneCare Live
2009-03-05 21:09 . 2009-03-05 21:09 7977 ----a-w C:\resetlog.txt
2009-02-17 02:59 . 2003-03-31 14:00 14336 ----a-w c:\windows\system32\svchost.exe
2009-01-22 03:02 . 2009-01-22 03:02 2 ----a-w C:\-520583248
2009-01-22 00:15 . 2009-01-22 00:51 15688 ----a-w c:\windows\system32\lsdelete.exe
2008-12-29 04:45 . 2008-10-06 13:28 43872 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
------- Sigcheck -------
[-] 2003-03-31 14:00 12800 0F7D9C87B0CE1FA520473119752C6F79 c:\windows\$NtServicePackUninstall$\svchost.exe
[-] 2008-04-14 09:42 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2009-02-17 02:59 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe
[-] 2009-02-17 02:59 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\dllcache\svchost.exe
[-] 2003-03-31 14:00 560128 DD9269230C21EE8FB7FD3FCCC3B1CFCB c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2008-04-14 09:42 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 09:42 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll
[-] 2003-03-31 14:00 75264 8529C295DF59B564D37A73B5629162B1 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[-] 2008-04-14 09:42 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2008-04-14 09:42 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll
[-] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[-] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[-] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[-] 2008-12-20 23:56 827904 044E0A4E9FE97C0FB9AFE9C89E2A82E6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[-] 2003-03-31 14:00 599040 F3587750A7481DCCBEA13D473A0700BE c:\windows\$NtServicePackUninstall$\wininet.dll
[-] 2008-04-14 09:42 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ie7\wininet.dll
[-] 2007-08-13 22:54 818688 A4A0FC92358F39538A6494C42EF99FE9 c:\windows\ie7updates\KB953838-IE7\wininet.dll
[-] 2008-06-23 16:57 826368 8C13D4A7479FA0A026EDA8ABCE82C0ED c:\windows\ie7updates\KB956390-IE7\wininet.dll
[-] 2008-08-26 07:24 826368 EF8EBA98145BFA44E80D17A3B3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
[-] 2008-04-14 09:42 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ServicePackFiles\i386\wininet.dll
[-] 2008-06-23 16:57 826368 8C13D4A7479FA0A026EDA8ABCE82C0ED c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2GDR\wininet.dll
[-] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2QFE\wininet.dll
[-] 2008-06-23 15:09 666112 F12FBB673DE9CC802C5DC518FE99AA2F c:\windows\SoftwareDistribution\Download\1c0a4d9681e4b56278490848f7545aa5\sp3gdr\wininet.dll
[-] 2008-06-23 14:54 666624 972299B7241EC325D8C7E5638C884925 c:\windows\SoftwareDistribution\Download\1c0a4d9681e4b56278490848f7545aa5\sp3qfe\wininet.dll
[-] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\system32\wininet.dll
[-] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\system32\dllcache\wininet.dll
[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2003-03-31 14:00 332928 244A2F9816BC9B593957281EF577D976 c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2008-04-14 04:50 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-14 04:50 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\drivers\tcpip.sys
[-] 2003-03-31 14:00 516608 2246D8D8F4714A2CEDB21AB9B1849ABB c:\windows\$NtServicePackUninstall$\winlogon.exe
[-] 2008-04-14 09:42 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 09:42 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe
[-] 2003-03-31 14:00 167552 3B350E5A2A5E951453F3993275A4523A c:\windows\$NtServicePackUninstall$\ndis.sys
[-] 2008-04-14 04:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2008-04-14 04:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys
[-] 2008-04-14 04:23 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys
[-] 2008-04-14 04:23 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys
[-] 2008-08-14 20:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2003-03-31 14:00 1920512 71FF7EC0EEEA4896DD219C661C90DB29 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[-] 2008-11-21 13:42 2023936 7F653A89F6E89E3AE0D49830EECE35D4 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[-] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2008-04-14 04:01 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[-] 2008-08-14 09:33 2023936 8206B5F94A6A9450E934029420C1693F c:\windows\system32\ntkrnlpa.exe
[-] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\system32\dllcache\ntkrnlpa.exe
[-] 2008-08-14 21:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2003-03-31 14:00 1891840 25A90EB7D1EEE12AB198DC9421BFA353 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[-] 2008-11-21 13:42 2145280 40F8880122A030A7E9E1FEDEA833B33D c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[-] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2008-04-14 04:57 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[-] 2008-08-14 10:09 2145280 F6F8245B3A2E9CA834DD318E7AE0C6D0 c:\windows\system32\ntoskrnl.exe
[-] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\system32\dllcache\ntoskrnl.exe
[-] 2008-04-14 09:42 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\explorer.exe
[-] 2003-03-31 14:00 1004032 A82B28BFC2E4455FE43022A498C0EF0A c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2008-04-14 09:42 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2003-03-31 14:00 101376 E3DF4A0252D287C44606EE55355E1623 c:\windows\$NtServicePackUninstall$\services.exe
[-] 2008-04-14 09:42 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\ServicePackFiles\i386\services.exe
[-] 2008-04-14 09:42 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\system32\services.exe
[-] 2003-03-31 14:00 11776 B2B6BA905D0E3F8A32A0EB3B4051807B c:\windows\$NtServicePackUninstall$\lsass.exe
[-] 2008-04-14 09:42 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 09:42 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe
[-] 2003-03-31 14:00 13312 414DE7CF9D3F19C3EA902F1BB38EC116 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2008-04-14 09:42 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 09:42 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\ctfmon.exe
[-] 2003-03-31 14:00 51200 9B4155BA58192D4073082B8FC5D42612 c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2008-04-14 09:42 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 09:42 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\spoolsv.exe
[-] 2003-03-31 14:00 22016 E931E0A2B8BF0019DB902E98D03662CB c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2008-04-14 09:42 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 09:42 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\userinit.exe
[-] 2003-03-31 14:00 200192 FE84E045A09A4ABC4DEEF7270448B64E c:\windows\$NtServicePackUninstall$\termsrv.dll
[-] 2008-04-14 09:42 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-04-14 09:42 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\termsrv.dll
[-] 2003-03-31 14:00 930304 8F162DC91D67D87C1A481BF602A9DAC8 c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2008-04-14 09:41 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2008-04-14 09:41 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\system32\kernel32.dll
[-] 2003-03-31 14:00 14848 865AD7CCB20856727D5BD994B094DC5E c:\windows\$NtServicePackUninstall$\powrprof.dll
[-] 2008-04-14 09:42 17408 50A166237A0FA771261275A405646CC0 c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2008-04-14 09:42 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll
[-] 2003-03-31 14:00 103936 C9F9E3E6B59C6D6CBCE7F14494A4518A c:\windows\$NtServicePackUninstall$\imm32.dll
[-] 2008-04-14 09:41 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\ServicePackFiles\i386\imm32.dll
[-] 2008-04-14 09:41 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll
[-] 2003-03-31 14:00 1157632 2564949DBE5F643F50913BBE45D346E2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[-] 2008-04-14 09:42 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[-] 2008-04-14 09:42 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( [email protected]_20.44.05.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-17 02:29 . 2009-04-17 02:29 16384 c:\windows\Temp\Perflib_Perfdata_494.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-29 136600]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-29 112216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 648504]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" [2008-05-01 131072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-22 507224]
"LTMSG"="LTMSG.exe" - c:\windows\ltmsg.exe [2003-07-14 40960]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-22 942416]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-01-22 64160]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-04-18 204800]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]

--- Other Services/Drivers In Memory ---
*Deregistered* - AFD
*Deregistered* - Apple Mobile Device
*Deregistered* - Arp1394
*Deregistered* - audstub
*Deregistered* - aujasnkj
*Deregistered* - Beep
*Deregistered* - Bonjour Service
*Deregistered* - Cdfs
*Deregistered* - DcomLaunch
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - Fastfat
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - ImapiService
*Deregistered* - IpFilterDriver
*Deregistered* - IpNat
*Deregistered* - iPod Service
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - Kbdclass
*Deregistered* - KSecDD
*Deregistered* - Lavasoft Ad-Aware Service
*Deregistered* - Lbd
*Deregistered* - LightScribeService
*Deregistered* - LinksysUpdater
*Deregistered* - McAfeeFramework
*Deregistered* - McShield
*Deregistered* - McTaskManager
*Deregistered* - mfeapfk
*Deregistered* - mfeavfk
*Deregistered* - mfebopk
*Deregistered* - mfehidk
*Deregistered* - mferkdk
*Deregistered* - mfetdik
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - MSIServer
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PCIIde
*Deregistered* - pnarp
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - purendis
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SASDIFSV
*Deregistered* - SASENUM
*Deregistered* - SASKUTIL
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - Wanarp
*Deregistered* - WSearch
.
Contents of the 'Scheduled Tasks' folder
2009-02-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 00:14]
2008-12-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2009-02-25 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-21 19:01
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(520)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\igfxdev.dll
- - - - - - - > 'explorer.exe'(340)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-21 19:02
ComboFix-quarantined-files.txt 2009-04-21 23:02
ComboFix2.txt 2009-04-20 03:05
ComboFix3.txt 2009-04-13 00:45
ComboFix4.txt 2009-04-08 04:16
ComboFix5.txt 2009-04-21 22:59
Pre-Run: 60,737,425,408 bytes free
Post-Run: 60,720,885,760 bytes free
Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
308 --- E O F --- 2009-03-02 14:44

Logfile of HijackThis v1.99.1
Scan saved at 7:58:20 PM, on 21/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\hijack this\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223302063890
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - 
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp3.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe" -s "C:\Program Files\Linksys\Linksys Updater\conf\wrapper.conf (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe


----------



## middling (Mar 10, 2009)

Hi CG. Did you forget about me or are youi giving up? I wouldn't blame you one bit.


----------



## Cookiegal (Aug 27, 2003)

Sorry, I didn't get a notification of the reply. I will post further instructions tomorrow morning for you.


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the code box below into it:


```
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv]
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*

Reboot and run another scan with GMER and post that log as well please.


----------



## middling (Mar 10, 2009)

Hi CG. Funny, I didn't get your last post notification either. I only noticed it when I went to the sight. Here's the logs you requested.

ComboFix 09-04-20.02 - Administrator 26/04/2009 9:58.15 - NTFSx86
Running from: J:\combofix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\cfscript.txt
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2009-03-26 to 2009-04-26 )))))))))))))))))))))))))))))))
.
2009-04-02 21:39 . 2009-04-02 21:39 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-02 21:39 . 2009-04-02 21:39 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-22 00:00 . 2009-01-22 03:07 21071 ----a-w C:\aaw7boot.log
2009-04-02 21:39 . 2009-04-02 21:39 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-02 21:38 . 2009-04-02 21:38 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-24 02:17 . 2009-03-24 02:17 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-24 02:17 . 2009-03-24 02:16 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-24 02:16 . 2009-03-24 02:16 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-18 05:17 . 2009-01-02 00:57 -------- d-----w c:\program files\LimeWire
2009-03-18 05:15 . 2009-01-02 00:58 -------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2009-03-17 16:11 . 2008-12-09 00:37 3061 ----a-w C:\hpfr5100.log
2009-03-10 15:55 . 2009-03-10 15:55 -------- d-----w c:\documents and settings\Administrator\Application Data\ParetoLogic
2009-03-10 15:54 . 2009-03-10 15:54 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic
2009-03-10 15:54 . 2009-03-10 15:54 -------- d-----w c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-03-09 02:57 . 2009-03-09 02:57 -------- d-----w c:\program files\Microsoft Windows OneCare Live
2009-03-05 21:09 . 2009-03-05 21:09 7977 ----a-w C:\resetlog.txt
2009-02-17 02:59 . 2003-03-31 14:00 14336 ----a-w c:\windows\system32\svchost.exe
2008-12-29 04:45 . 2008-10-06 13:28 43872 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
------- Sigcheck -------
[-] 2003-03-31 14:00 12800 0F7D9C87B0CE1FA520473119752C6F79 c:\windows\$NtServicePackUninstall$\svchost.exe
[-] 2008-04-14 09:42 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2009-02-17 02:59 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe
[-] 2009-02-17 02:59 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\dllcache\svchost.exe
[-] 2003-03-31 14:00 560128 DD9269230C21EE8FB7FD3FCCC3B1CFCB c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2008-04-14 09:42 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 09:42 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll
[-] 2003-03-31 14:00 75264 8529C295DF59B564D37A73B5629162B1 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[-] 2008-04-14 09:42 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2008-04-14 09:42 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll
[-] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[-] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[-] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[-] 2008-12-20 23:56 827904 044E0A4E9FE97C0FB9AFE9C89E2A82E6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[-] 2003-03-31 14:00 599040 F3587750A7481DCCBEA13D473A0700BE c:\windows\$NtServicePackUninstall$\wininet.dll
[-] 2008-04-14 09:42 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ie7\wininet.dll
[-] 2007-08-13 22:54 818688 A4A0FC92358F39538A6494C42EF99FE9 c:\windows\ie7updates\KB953838-IE7\wininet.dll
[-] 2008-06-23 16:57 826368 8C13D4A7479FA0A026EDA8ABCE82C0ED c:\windows\ie7updates\KB956390-IE7\wininet.dll
[-] 2008-08-26 07:24 826368 EF8EBA98145BFA44E80D17A3B3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
[-] 2008-04-14 09:42 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ServicePackFiles\i386\wininet.dll
[-] 2008-06-23 16:57 826368 8C13D4A7479FA0A026EDA8ABCE82C0ED c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2GDR\wininet.dll
[-] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2QFE\wininet.dll
[-] 2008-06-23 15:09 666112 F12FBB673DE9CC802C5DC518FE99AA2F c:\windows\SoftwareDistribution\Download\1c0a4d9681e4b56278490848f7545aa5\sp3gdr\wininet.dll
[-] 2008-06-23 14:54 666624 972299B7241EC325D8C7E5638C884925 c:\windows\SoftwareDistribution\Download\1c0a4d9681e4b56278490848f7545aa5\sp3qfe\wininet.dll
[-] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\system32\wininet.dll
[-] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\system32\dllcache\wininet.dll
[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2003-03-31 14:00 332928 244A2F9816BC9B593957281EF577D976 c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2008-04-14 04:50 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-14 04:50 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\drivers\tcpip.sys
[-] 2003-03-31 14:00 516608 2246D8D8F4714A2CEDB21AB9B1849ABB c:\windows\$NtServicePackUninstall$\winlogon.exe
[-] 2008-04-14 09:42 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 09:42 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe
[-] 2003-03-31 14:00 167552 3B350E5A2A5E951453F3993275A4523A c:\windows\$NtServicePackUninstall$\ndis.sys
[-] 2008-04-14 04:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2008-04-14 04:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys
[-] 2008-04-14 04:23 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys
[-] 2008-04-14 04:23 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys
[-] 2008-08-14 20:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2003-03-31 14:00 1920512 71FF7EC0EEEA4896DD219C661C90DB29 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[-] 2008-11-21 13:42 2023936 7F653A89F6E89E3AE0D49830EECE35D4 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[-] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2008-04-14 04:01 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[-] 2008-08-14 09:33 2023936 8206B5F94A6A9450E934029420C1693F c:\windows\system32\ntkrnlpa.exe
[-] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\system32\dllcache\ntkrnlpa.exe
[-] 2008-08-14 21:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2003-03-31 14:00 1891840 25A90EB7D1EEE12AB198DC9421BFA353 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[-] 2008-11-21 13:42 2145280 40F8880122A030A7E9E1FEDEA833B33D c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[-] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2008-04-14 04:57 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[-] 2008-08-14 10:09 2145280 F6F8245B3A2E9CA834DD318E7AE0C6D0 c:\windows\system32\ntoskrnl.exe
[-] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\system32\dllcache\ntoskrnl.exe
[-] 2008-04-14 09:42 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\explorer.exe
[-] 2003-03-31 14:00 1004032 A82B28BFC2E4455FE43022A498C0EF0A c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2008-04-14 09:42 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2003-03-31 14:00 101376 E3DF4A0252D287C44606EE55355E1623 c:\windows\$NtServicePackUninstall$\services.exe
[-] 2008-04-14 09:42 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\ServicePackFiles\i386\services.exe
[-] 2008-04-14 09:42 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\system32\services.exe
[-] 2003-03-31 14:00 11776 B2B6BA905D0E3F8A32A0EB3B4051807B c:\windows\$NtServicePackUninstall$\lsass.exe
[-] 2008-04-14 09:42 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 09:42 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe
[-] 2003-03-31 14:00 13312 414DE7CF9D3F19C3EA902F1BB38EC116 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2008-04-14 09:42 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 09:42 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\ctfmon.exe
[-] 2003-03-31 14:00 51200 9B4155BA58192D4073082B8FC5D42612 c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2008-04-14 09:42 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 09:42 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\spoolsv.exe
[-] 2003-03-31 14:00 22016 E931E0A2B8BF0019DB902E98D03662CB c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2008-04-14 09:42 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 09:42 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\userinit.exe
[-] 2003-03-31 14:00 200192 FE84E045A09A4ABC4DEEF7270448B64E c:\windows\$NtServicePackUninstall$\termsrv.dll
[-] 2008-04-14 09:42 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-04-14 09:42 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\termsrv.dll
[-] 2003-03-31 14:00 930304 8F162DC91D67D87C1A481BF602A9DAC8 c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2008-04-14 09:41 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2008-04-14 09:41 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\system32\kernel32.dll
[-] 2003-03-31 14:00 14848 865AD7CCB20856727D5BD994B094DC5E c:\windows\$NtServicePackUninstall$\powrprof.dll
[-] 2008-04-14 09:42 17408 50A166237A0FA771261275A405646CC0 c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2008-04-14 09:42 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll
[-] 2003-03-31 14:00 103936 C9F9E3E6B59C6D6CBCE7F14494A4518A c:\windows\$NtServicePackUninstall$\imm32.dll
[-] 2008-04-14 09:41 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\ServicePackFiles\i386\imm32.dll
[-] 2008-04-14 09:41 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll
[-] 2003-03-31 14:00 1157632 2564949DBE5F643F50913BBE45D346E2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[-] 2008-04-14 09:42 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[-] 2008-04-14 09:42 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( [email protected]_20.44.05.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-22 00:00 . 2009-04-22 00:00 16384 c:\windows\Temp\Perflib_Perfdata_490.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-29 136600]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-29 112216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 648504]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" [2008-05-01 131072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-22 507224]
"LTMSG"="LTMSG.exe" - c:\windows\ltmsg.exe [2003-07-14 40960]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-01-22 64160]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-22 942416]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-04-18 204800]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]

--- Other Services/Drivers In Memory ---
*Deregistered* - AFD
*Deregistered* - Apple Mobile Device
*Deregistered* - Arp1394
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Bonjour Service
*Deregistered* - Cdfs
*Deregistered* - DcomLaunch
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - Fastfat
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - ImapiService
*Deregistered* - IpFilterDriver
*Deregistered* - IpNat
*Deregistered* - iPod Service
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - Kbdclass
*Deregistered* - KSecDD
*Deregistered* - Lavasoft Ad-Aware Service
*Deregistered* - Lbd
*Deregistered* - LightScribeService
*Deregistered* - LinksysUpdater
*Deregistered* - McAfeeFramework
*Deregistered* - McShield
*Deregistered* - McTaskManager
*Deregistered* - mfeapfk
*Deregistered* - mfeavfk
*Deregistered* - mfebopk
*Deregistered* - mfehidk
*Deregistered* - mferkdk
*Deregistered* - mfetdik
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PCIIde
*Deregistered* - pnarp
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - purendis
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SASDIFSV
*Deregistered* - SASENUM
*Deregistered* - SASKUTIL
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - Wanarp
*Deregistered* - WSearch
.
Contents of the 'Scheduled Tasks' folder
2009-02-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 00:14]
2008-12-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2009-02-25 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 09:59
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(524)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\igfxdev.dll
- - - - - - - > 'explorer.exe'(1816)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-26 10:02
ComboFix-quarantined-files.txt 2009-04-26 14:02
ComboFix2.txt 2009-04-21 23:02
ComboFix3.txt 2009-04-20 03:05
ComboFix4.txt 2009-04-13 00:45
ComboFix5.txt 2009-04-26 13:57
Pre-Run: 60,680,458,240 bytes free
Post-Run: 60,663,414,784 bytes free
Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
300 --- E O F --- 2009-03-02 14:44

Logfile of HijackThis v1.99.1
Scan saved at 10:03:56 AM, on 26/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Administrator\Desktop\hijack this\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223302063890
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - 
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp3.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe" -s "C:\Program Files\Linksys\Linksys Updater\conf\wrapper.conf (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe


----------



## middling (Mar 10, 2009)

Here's the GMER

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-26 11:40:08
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF76BF87E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF76BFC10]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF5A81DF0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF2C932F1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF2C9331D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF2C932C7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF2C93307]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF2C93349]
---- Kernel code sections - GMER 1.0.15 ----
PAGE ntoskrnl.exe!ZwOpenKey 80572BF4 5 Bytes JMP F2C932CB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 8058E695 5 Bytes JMP F2C9334D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80591F8B 7 Bytes JMP F2C93321 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80593334 7 Bytes JMP F2C932F5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 80655B56 7 Bytes JMP F2C9330B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\SearchIndexer.exe[2044] kernel32.dll!WriteFile 7C810E17 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp  mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet001\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet001\Services\[email protected] \systemroot\system32\drivers\TDSSpqlt.sys
Reg HKLM\SYSTEM\ControlSet001\Services\[email protected] file system
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules 
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\drivers\TDSSpqlt.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSoiqt.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSpqlt.dat
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSoiqh.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSpqlt.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSScfum.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSsihc.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSrhym.log
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSStkdv.log
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] \systemroot\system32\drivers\TDSSpqlt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] file system
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules 
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\drivers\TDSSpqlt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSoiqt.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSpqlt.dat
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSoiqh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSpqlt.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSScfum.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSsihc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSrhym.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSStkdv.log
---- EOF - GMER 1.0.15 ----


----------



## Cookiegal (Aug 27, 2003)

Are you comfortable editing the registry?


----------



## middling (Mar 10, 2009)

Yes. I've done it once or twice before under direction from microsoft or others on some previous computers.


----------



## Cookiegal (Aug 27, 2003)

First, we need to backup your registry:

Please go to *Start *- *Run *and copy and paste the following and then click OK:

*regedit /e c:\registrybackup.reg*

It won't appear to be doing anything and that's normal. Your mouse pointer may turn to an hour glass for a minute.

When it no longer has the hour glass, check in your C drive to be sure you have a file called* registrybackup.reg *before continuing. If you do not see that file, please let me know before doing anything else.

Now, open the registry editor by typing *regedit *in the run box (Start - Run).

Click on the + sign that you see to the left of each of these keys in the left-hand pane under Services:

HKEY_LOCAL_MACHINE
SYSTEM
ControlSet001
Services

Under Services, you will see a list of services there in alphabetical order. Scroll down to the following one and if it's there, right-click on it and select "Delete".

*TDSSserv*

Now do the same for this one:

HKEY_LOCAL_MACHINE
SYSTEM
ControlSet003
Services

and delete TDSSserv if listed there in the left-hand pane.

Reboot after deleting and then run a new scan with GMER and post that log please.


----------



## middling (Mar 10, 2009)

Hi CG - I did as you asked. Found only files named TDSSSERV.sys in both locations. I tried to delete but got message " Cannot delete- error while deleting key" If the file is just named TDSSERV , then it doesn't exist in either location. The plot thickens !!


----------



## Cookiegal (Aug 27, 2003)

Can you upload a screenshot please?


----------



## middling (Mar 10, 2009)

Sorry CG . A screenshot of what? And how do I upload- just copy and paste as usual.


----------



## Cookiegal (Aug 27, 2003)

I need to see what you're seeing in the registry.

When you have it on your screen hit the Prt Scrn (Print screen) key and this saves the image to the clipboard. Then open up MS Paint and paste the image there. Then save it on your hard drive. Then upload it here as an attachment.


----------



## middling (Mar 10, 2009)

Hi CG Hope this is what you need.


----------



## middling (Mar 10, 2009)

It didn't work, will try again.


----------



## middling (Mar 10, 2009)

No go I thinkthe files are too big to attach (2.3 mg) they will not upload. Any other way to do it? Can I copy and paste?


----------



## Cookiegal (Aug 27, 2003)

You can't copy and paste an image. You need to resize the image before uploading it. You can do that with MS Office Picture Manager.


----------



## middling (Mar 10, 2009)

I tried saving in JPG format. Trying now!


----------



## Cookiegal (Aug 27, 2003)

It's only a leftover registry entry as there's no value associated with it but I'd still like to remove it.

Navigate to that *TDSSserv.sys *key again in the registry in the left-hand pane.

Right click it and choose "Permissions". Under "Group or user names", select your user profile name as administrator (probably My Computer).

Below that under "Permissions for Administrators", by "Full Control" put a check by "Allow"

Click Apply then OK. Now right click the *TDSSserv.sys *key and delete it.

Restart your computer and let me know how it went.


----------



## middling (Mar 10, 2009)

Willdo but not at my computer till sunday. Thanks


----------



## Cookiegal (Aug 27, 2003)

OK, that's fine.


----------



## middling (Mar 10, 2009)

Deleted and re-booted. No difference I'm afraid.


----------



## Cookiegal (Aug 27, 2003)

Go to *Start *- *Run *and then type *devmgmt.msc* and click OK.

On the View menu click on *Show Hidden Devices*.

Browse to *Non-Plug and Play Drivers *and let me know if you see anything like *TDSSserv.sys* (or with *TDSS *in it).


----------



## middling (Mar 10, 2009)

Nope. Nothing like that is showing.


----------



## Cookiegal (Aug 27, 2003)

Please open HijackThis.
Click on *Open Misc Tools Section*
Make sure that both boxes beside "Generate StartupList Log" are checked:

*List all minor sections(Full)*
*List Empty Sections(Complete)*
Click *Generate StartupList Log*.
Click *Yes* at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here.


----------



## middling (Mar 10, 2009)

as requested-

StartupList report, 07/05/2009, 7:19:35 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Administrator\Desktop\hijack this\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16791)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrator\Desktop\hijack this\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
*No files*
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*
[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched = "C:\Program Files\Java\jre6\bin\jusched.exe"
ShStatEXE = "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
nmctxth = "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
McAfeeUpdaterUI = "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
LTMSG = LTMSG.exe 7
LELA = "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
igfxtray = C:\WINDOWS\system32\igfxtray.exe
igfxpers = C:\WINDOWS\system32\igfxpers.exe
igfxhkcmd = C:\WINDOWS\system32\hkcmd.exe
HPDJ Taskbar Utility = C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
HP Software Update = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
HP Component Manager = "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
DeviceDiscovery = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
AlcxMonitor = ALCXMNTR.EXE
Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
Ad-Watch = C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
SUPERAntiSpyware = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[OptionalComponents]
= 
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\ComFile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%1" /S
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*
--------------------------------------------------
File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP
[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
--------------------------------------------------
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps
*Registry key not found*
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'
Registry check passed
--------------------------------------------------
Enumerating Browser Helper Objects:
AcroIEHelperStub - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll - {18DF081C-E8AD-4283-A596-FA578C2EBDC3}
(no name) - C:\Program Files\Java\jre6\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
scriptproxy - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll - {7DB2D5A0-7241-4E79-B68D-6309F01C5231}
(no name) - C:\Program Files\Windows Live Toolbar\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
(no name) - C:\Program Files\Java\jre6\bin\jp2ssv.dll - {DBC80044-A445-435b-BC74-9C25C1C588A9}
JQSIEStartDetectorImpl - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll - {E7E6F031-17CE-4C07-BC86-EABFE594F69C}
--------------------------------------------------
Enumerating Task Scheduler jobs:
Ad-Aware Update (Weekly).job
AppleSoftwareUpdate.job
Check Updates for Windows Live Toolbar.job
EasyShare Registration Task.job
--------------------------------------------------


----------



## middling (Mar 10, 2009)

part 2

Enumerating Download Program Files:
[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223302063890
[HP Download Manager]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\HPDEXAXO.dll
CODEBASE = https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
[Java Plug-in 1.6.0_11]
InProcServer32 = C:\Program Files\Java\jre6\bin\jp2iexp.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre6\bin\jp2iexp.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
[Java Plug-in 1.6.0_07]
InProcServer32 = C:\Program Files\Java\jre6\bin\jp2iexp.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
[Java Plug-in 1.6.0_11]
InProcServer32 = C:\Program Files\Java\jre6\bin\jp2iexp.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
[Java Plug-in 1.6.0_11]
InProcServer32 = C:\Program Files\Java\jre6\bin\npjpi160_11.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
[{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}]
InProcServer32 = C:\Program Files\WebEx\ieatgpc.dll
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
NameSpace #4: C:\WINDOWS\System32\nwprovau.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\mswsock.dll
Protocol #5: C:\WINDOWS\system32\mswsock.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\rsvpsp.dll
Protocol #19: C:\WINDOWS\system32\rsvpsp.dll
--------------------------------------------------
Enumerating Windows NT/2000/XP services
Microsoft ACPI Driver: System32\drivers\ACPI.sys (system)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Apple Mobile Device: "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" (autostart)
Dual-Band Wireless A+G PCI Adapter Service: system32\DRIVERS\ar5211.sys (manual start)
1394 ARP Client Protocol: system32\DRIVERS\arp1394.sys (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\drivers\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Broadcom NetXtreme Gigabit Ethernet: system32\DRIVERS\b57xp32.sys (manual start)
Broadcom Advanced Server Program Driver: system32\DRIVERS\baspxp32.sys (manual start)
Bonjour Service: "C:\Program Files\Bonjour\mDNSResponder.exe" (autostart)
catchme: \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel(R) PRO Adapter Driver: system32\DRIVERS\e100b325.sys (manual start)
ERSvc: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Windows Presentation Foundation Font Cache 3.0.0.0: C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GEAR ASPI Filter Driver: system32\DRIVERS\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
helpsvc: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: system32\DRIVERS\ialmnt5.sys (manual start)
Windows CardSpace: "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: %systemroot%\system32\imapi.exe (manual start)
IntelIde: System32\drivers\intelide.sys (system)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (autostart)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPod Service: "C:\Program Files\iPod\bin\iPodService.exe" (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Java Quick Starter: "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" (autostart)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: system32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Lavasoft Ad-Aware Service: "C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe" (autostart)
Lbd: system32\DRIVERS\Lbd.sys (system)
LightScribeService Direct Disc Labeling Service: "C:\Program Files\Common Files\LightScribe\LSSrvc.exe" (autostart)
Linksys Updater: "C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe" -s "C:\Program Files\Linksys\Linksys Updater\conf\wrapper.conf" (autostart)
Agere Modem Driver: system32\DRIVERS\ltmdmnt.sys (manual start)
McAfee Framework Service: "C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (autostart)
McAfee McShield: "C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe" (autostart)
McAfee Task Manager: "C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe" (autostart)
McAfee Inc.: system32\drivers\mfeapfk.sys (manual start)
McAfee Inc.: system32\drivers\mfeavfk.sys (manual start)
McAfee Inc.: system32\drivers\mfebopk.sys (manual start)
McAfee Inc.: system32\drivers\mfehidk.sys (manual start)
VSCore mferkdk: \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys (system)
McAfee Inc.: system32\drivers\mfetdik.sys (system)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: %systemroot%\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Net.Tcp Port Sharing Service: "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" (disabled)
1394 Net Driver: system32\DRIVERS\nic1394.sys (manual start)
Pure Networks Platform Service: "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe" (autostart)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
nv: system32\DRIVERS\nv4_mini.sys (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Texas Instruments OHCI Compliant IEEE 1394 Host Controller: system32\DRIVERS\ohci1394.sys (system)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\drivers\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pure Networks Device Discovery Driver: system32\DRIVERS\pnarp.sys (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Pure Networks Wireless Driver: system32\DRIVERS\purendis.sys (autostart)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek 10/100/1000 PCI NIC Family NDIS XP Driver: system32\DRIVERS\Rtnicxp.sys (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: system32\DRIVERS\RTL8139.SYS (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SASDIFSV: \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (system)
SASENUM: \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS (manual start)
SASKUTIL: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (system)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
SharedAccess: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
smwdm: system32\drivers\smwdm.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
Srv: System32\DRIVERS\srv.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{1920AFAB-38C3-42EB-BE78-B5FD48544A43} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (disabled)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Apple Mobile USB Driver: System32\Drivers\usbaapl.sys (manual start)
Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
Windows Live Setup Service: "C:\Program Files\Windows Live\installer\WLSetupSvc.exe" (manual start)
Microsoft Windows Management Interface for ACPI: System32\DRIVERS\wmiacpi.sys (system)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Media Player Network Sharing Service: "C:\Program Files\Windows Media Player\WMPNetwk.exe" (manual start)
wscsvc: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Search: %systemroot%\system32\SearchIndexer.exe /Embedding (autostart)
wuauserv: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Windows Driver Foundation - User-mode Driver Framework Platform Driver: system32\DRIVERS\WudfPf.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework Reflector: system32\DRIVERS\wudfrd.sys (manual start)

--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*No values found*
--------------------------------------------------
End of report, 34,495 bytes
Report generated in 0.282 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Cookiegal (Aug 27, 2003)

Go to Start - Run and type in this command and post the output in Notepad please.

*CMD /K SC QC DHCP*


----------



## middling (Mar 10, 2009)

for what it's worth , this is all I got from that command

[SC] OpenService FAILED 1060:
The specified service does not exist as an installed service.

C:\Documents and Settings\Administrator>


----------



## Cookiegal (Aug 27, 2003)

it seems the DHCP service is not installed. 

Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders".
Click "Apply" then "OK".

Go to Start > Search - All Files and Folders and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Now search for the following file and let me know if you find it. It should be in the System32 folder.

*dhcpcsvc.dll*


----------



## middling (Mar 10, 2009)

Yep- found it in the system 32 folder as well as $ntservice pack file and another service pack file.


----------



## JohnWill (Oct 19, 2002)

Try doing a stack repair.

*TCP/IP stack repair options for use with Windows XP with SP2/SP3.*

*S*tart, *R*un, *CMD* to open a command prompt:

In the command prompt window that opens, type type the following commands:

_Note: Type only the text in bold for the following commands._

Reset TCP/IP stack to installation defaults, type: *netsh int ip reset reset.log*

Reset WINSOCK entries to installation defaults, type: *netsh winsock reset catalog*

Reboot the machine.


----------



## middling (Mar 10, 2009)

Tried that a long time ago and just to be sure, I just tried it again. No go I get a message " warning Could not obtain host information from machine.Some commands may not be available. The specified service does not exist as an installed service".

Winsock reset gives much the same message warning but then says that the catalog hs been successfully reset! Reboot acheived nothing.


----------



## JohnWill (Oct 19, 2002)

Check your Services are Started: 

COM+ Event System (for WZC issues)
Computer Browser
DHCP Client
DNS Client
Network Connections
Network Location Awareness
Remote Procedure Call (RPC)
Server
TCP/IP Netbios helper
Wireless Zero Configuration (XP wireless configurations)
WLAN AutoConfig (Vista wireless configurations)
Workstation

_*Note:* You can check the services in Control Panel, Administrative Tools, Services._

*All of these services should be started, and their startup type should be automatic (or perhaps manual).*

If a service is not running, open it's properties and check the dependencies. Check each of the dependencies and see which one is preventing the service from running. Checking the event log is also a good idea here, there may be clues to what is failing.


----------



## middling (Mar 10, 2009)

Most of these services are not even mentioned in services on the affected machine. I repeat, there is no mention of them. The only mention is "remote procedure call" and it is activated automatically. I had established at the very btginning of the thread that I thought [part of my problem was that I had "lost" the DHCP file.


----------



## JohnWill (Oct 19, 2002)

Your machine is seriously screwed up!

I'd consider running SFC: SFC Tutorial

If that doesn't work, a repair installation is next on my list: How to Perform a Windows XP Repair Install


----------



## middling (Mar 10, 2009)

Tried SFC- No change. I bought this machine from a guy who was moving out of town so I dont have A CD. Am I screwed? Is it time to throw the machine over a cliff or do you have another suggestion? ( Please don't tell me to make it would make a nice planter). Lot's of really nice people have tried to help me here and I appreciate all you have done. Is this the end of the road?


----------



## JohnWill (Oct 19, 2002)

I'm afraid you probably need a reinstall at this point, so you'll have to shop for a copy of XP.


----------



## middling (Mar 10, 2009)

THank you all for all of the help. Cookie gal , you tried so hard and I'm bloody sure I've got the cleanest computer in the universe.


----------



## Cookiegal (Aug 27, 2003)

You're welcome middling.


----------

