After Cleaning As Many Virus & Trojans I Can, I Still Don't Control This System

blade2buddy · #1 26th Oct 2009, 07:45

I've been working all weekend on a friends system, to try to clean up infestations he's had from not protecting himself. I've installed Avira AntiVir, de-installed multiple old Virus and malware systems, worked through the Malware Removal Guide, and still have problems with the system. Symptoms include:

Unable to access Control Panel from Start->Settings
I see Windows Security shield (red X) but when I click I get "This operation has been cancelled due to restrictions in effect on this computer."
Every 10 minutes I get a AdWare pop-up from CiD for a variety of (seemingly) legitimate products.
When the system boots up, and periodically as its on, I get a pop-up that says "Unable to locate c:/...{something}.../printer.exe"
I've cleaned out virus' and trojans including:
- TR/Crypt.XPACK.Gen
- TR/Dropper.Gen
- DR/Delphi.Gen
- TR/Crypt.ULPM.Gen

Obviously, everything is not right yet, but I've reached the end of my skills. As said, I've been through the steps of the Malware Removal Guide and can provide logs. Below is the most recent HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:27 AM, on 10/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [ML1HelperStartUp] C:\PROGRA~1\MIDNIG~1\ML1HEL~1.EXE /partner ML1
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [DoNotDelete] C:\WINDOWS\system32\explore.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Love default global mess] C:\Documents and Settings\All Users\Application Data\great coal love default\Skip Dart.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINDOWS\System32\oobe\msoobe.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Amenbait] C:\DOCUME~1\Owner\APPLIC~1\ADMINF~1\tons proc.exe
O4 - HKCU\..\Run: [DoNotDelete] C:\WINDOWS\system32\explore.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\hanonvt.ini
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
--
End of file - 6226 bytes

**evilfantasy** · #2 26th Oct 2009, 09:48

Can you post the Malwarebytes and Superantispyware logs?

blade2buddy · #3 26th Oct 2009, 09:52

Malwarebytes' Anti-Malware 1.41
Database version: 3034
Windows 5.1.2600 Service Pack 2
10/26/2009 6:47:20 AM
mbam-log-2009-10-26 (06-47-20).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 132849
Time elapsed: 29 minute(s), 36 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{abcdecef-4b15-11d1-abed-709549c10000} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{abcdece2-4b15-11d1-abed-709549c10000} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\SafeBoot\Minimal\runtime2.sys (Rootkit.Safemode.Hijack) -> Delete on reboot.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\SafeBoot\Network\runtime2.sys (Rootkit.Safemode.Hijack) -> Delete on reboot.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\R oot\LEGACY_RUNTIME (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\R oot\LEGACY_RUNTIME2 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\runtime (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\runtime2 (Rootkit.Agent) -> Delete on reboot.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\sp2 connection patcher (Trojan.Swizzor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\startdrv (Malware.Trace) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9_exception.nls (Trojan.Tibs) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\runtime2.sys (Rootkit.Agent) -> Delete on reboot.

====================================

SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 10/26/2009 at 05:53 AM
Application Version : 4.29.1004
Core Rules Database Version : 4191
Trace Rules Database Version: 2103
Scan type : Complete Scan
Total Scan Time : 00:33:36
Memory items scanned : 404
Memory threats detected : 0
Registry items scanned : 4396
Registry threats detected : 140
File items scanned : 38619
File threats detected : 39
Trojan.Net-VTROLL
HKLM\Software\Classes\CLSID\{ABCDECF0-4B15-11D1-ABED-709549C10000}
HKCR\CLSID\{ABCDECF0-4B15-11D1-ABED-709549C10000}
HKCR\CLSID\{ABCDECF0-4B15-11D1-ABED-709549C10000}
HKCR\CLSID\{ABCDECF0-4B15-11D1-ABED-709549C10000}\InprocServer32
HKCR\CLSID\{ABCDECF0-4B15-11D1-ABED-709549C10000}\InprocServer32#ThreadingModel
HKCR\CLSID\{ABCDECF0-4B15-11D1-ABED-709549C10000}\InprocServer32#Enable Browser Extensions
HKCR\CLSID\{ABCDECF0-4B15-11D1-ABED-709549C10000}\ProgID
HKCR\CLSID\{ABCDECF0-4B15-11D1-ABED-709549C10000}\Programmable
HKCR\CLSID\{ABCDECF0-4B15-11D1-ABED-709549C10000}\VersionIndependentProgID
HKCR\IEHlprObj.IEHlprObj.1
HKCR\IEHlprObj.IEHlprObj.1\CLSID
HKCR\IEHlprObj.IEHlprObj
HKCR\IEHlprObj.IEHlprObj\CurVer
C:\WINDOWS\SYSTEM32\VTR123.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{ABCDECF0-4B15-11D1-ABED-709549C10000}
HKU\S-1-5-21-1783020033-223171952-2399564081-1003\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{ABCDECF0-4B15-11D1-ABED-709549C10000}
Adware.GAIN/DashBar
HKLM\Software\Classes\CLSID\{CC90CDA0-74A0-45b4-80EF-D89CA8C249B8}
HKCR\CLSID\{CC90CDA0-74A0-45B4-80EF-D89CA8C249B8}
HKCR\CLSID\{CC90CDA0-74A0-45B4-80EF-D89CA8C249B8}
HKCR\CLSID\{CC90CDA0-74A0-45B4-80EF-D89CA8C249B8}\InprocServer32
HKCR\CLSID\{CC90CDA0-74A0-45B4-80EF-D89CA8C249B8}\InprocServer32#ThreadingModel
HKCR\CLSID\{CC90CDA0-74A0-45B4-80EF-D89CA8C249B8}\ProgID
HKCR\CLSID\{CC90CDA0-74A0-45B4-80EF-D89CA8C249B8}\Programmable
HKCR\CLSID\{CC90CDA0-74A0-45B4-80EF-D89CA8C249B8}\TypeLib
HKCR\CLSID\{CC90CDA0-74A0-45B4-80EF-D89CA8C249B8}\VersionIndependentProgID
HKCR\DashBarToolBar.SearchScoutBandObj.1
HKCR\DashBarToolBar.SearchScoutBandObj.1\CLSID
HKCR\DashBarToolbar.SearchScoutBandObj
HKCR\DashBarToolbar.SearchScoutBandObj\CLSID
HKCR\DashBarToolbar.SearchScoutBandObj\CurVer
HKCR\TypeLib\{8642D0F2-37CC-46b7-AA5B-399E6E68C626}
HKCR\TypeLib\{8642D0F2-37CC-46b7-AA5B-399E6E68C626}\1.0
HKCR\TypeLib\{8642D0F2-37CC-46b7-AA5B-399E6E68C626}\1.0\0
HKCR\TypeLib\{8642D0F2-37CC-46b7-AA5B-399E6E68C626}\1.0\0\win32
HKCR\TypeLib\{8642D0F2-37CC-46b7-AA5B-399E6E68C626}\1.0\FLAGS
HKCR\TypeLib\{8642D0F2-37CC-46b7-AA5B-399E6E68C626}\1.0\HELPDIR
C:\PROGRAM FILES\DASHBAR\DASHBAR30.DLL
HKU\S-1-5-21-1783020033-223171952-2399564081-1003\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{CC90CDA0-74A0-45B4-80EF-D89CA8C249B8}
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{CC90CDA0-74A0-45b4-80EF-D89CA8C249B8}
HKCR\Interface\{A2BA5E71-5BE3-4007-AC48-157823FB63FB}
HKCR\Interface\{A2BA5E71-5BE3-4007-AC48-157823FB63FB}\ProxyStubClsid
HKCR\Interface\{A2BA5E71-5BE3-4007-AC48-157823FB63FB}\ProxyStubClsid32
HKCR\Interface\{A2BA5E71-5BE3-4007-AC48-157823FB63FB}\TypeLib
HKCR\Interface\{A2BA5E71-5BE3-4007-AC48-157823FB63FB}\TypeLib#Version
Trojan.NewDotNet
HKU\S-1-5-21-1783020033-223171952-2399564081-1003\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\New.net
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\New.net#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\New.net#UninstallString
HKU\.DEFAULT\Software\New.net
HKU\S-1-5-18\Software\New.net
HKLM\Software\New.net
HKLM\Software\New.net#Activity
HKLM\Software\New.net#InstalledPath
HKLM\Software\New.net#InstalledVersion
HKLM\Software\New.net#Prt
HKLM\Software\New.net#Source
HKLM\Software\New.net#Tag
HKLM\Software\New.net#Complete
HKLM\Software\New.net#NextUpgradeHi
HKLM\Software\New.net#NextUpgradeLo
C:\Program Files\NewDotNet\nnrun.exe
C:\Program Files\NewDotNet
C:\WINDOWS\Prefetch\NNRUN.EXE-0A483F4B.pf
Trojan.IP6FW/Rootkit
HKLM\System\ControlSet001\Services\Ip6Fw
C:\WINDOWS\SYSTEM32\DRIVERS\IP6FW.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_Ip6Fw
HKLM\System\ControlSet002\Services\Ip6Fw
HKLM\System\ControlSet002\Enum\Root\LEGACY_Ip6Fw
HKLM\System\CurrentControlSet\Services\Ip6Fw
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_Ip6 Fw
Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt
C:\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt
C:\Documents and Settings\Owner\Cookies\owner@fastclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
C:\Documents and Settings\Owner\Cookies\owner@burstnet[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.burstnet[1].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@overture[2].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@serving-sys[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yi eldmanager[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@apmeb f[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bs.se rving-sys[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@colle ctive-media[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@conte nt.yieldmanager[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubl eclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media plex[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsc i[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@richm edia.yahoo[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@servi ng-sys[2].txt
Adware.GAIN/Gator
HKLM\Software\Gator.com
HKLM\Software\Gator.com\AppInfo
HKLM\Software\Gator.com\AppInfo\CME
HKLM\Software\Gator.com\AppInfo\CME#event
HKLM\Software\Gator.com\AppInfo\CME#timeout_secs_u i
HKLM\Software\Gator.com\AppInfo\CME#timeout_secs_f ull
HKLM\Software\Gator.com\AppInfo\CME#restart
HKLM\Software\Gator.com\AppInfo\CME#lockfiles
HKLM\Software\Gator.com\CMEII
HKLM\Software\Gator.com\CMEII#appPath
HKLM\Software\Gator.com\CMEII#Uninstall
HKLM\Software\Gator.com\CMEII#runcnt
HKLM\Software\Gator.com\CMEII#lastrun
HKLM\Software\Gator.com\CMEII#RunApps
HKLM\Software\Gator.com\CMEII#firstRunSent
HKLM\Software\Gator.com\CMEII#numInst
HKLM\Software\Gator.com\CMEII#hbt
HKLM\Software\Gator.com\CMEII#InstApps
HKLM\Software\Gator.com\CMEII#PreInstApps
HKLM\Software\Gator.com\CMEII#TransitApps
HKLM\Software\Gator.com\CMEII#UnInstApps
HKLM\Software\Gator.com\CMEII#AppDisplayNameList
HKLM\Software\Gator.com\CMEII#AppHist
HKLM\Software\Gator.com\CMEII#LowAppInfo
HKLM\Software\Gator.com\CMEII#ehbt
HKLM\Software\Gator.com\CMEII#CMELastCheckTime
HKLM\Software\Gator.com\DashBar
HKLM\Software\Gator.com\DashBar#appPath
HKLM\Software\Gator.com\DashBar#Version
HKLM\Software\Gator.com\DashBar#Lastupdate
HKLM\Software\Gator.com\DashBar\AU
HKLM\Software\Gator.com\DashBar\AU#Bver
HKLM\Software\Gator.com\DashBar\DynSettings
HKLM\Software\Gator.com\DashBar\DynSettings#TckRt
HKLM\Software\Gator.com\DashBar\Install
HKLM\Software\Gator.com\DashBar\Install#ARQ
HKLM\Software\Gator.com\DashBar\ST
HKLM\Software\Gator.com\DashBar\ST#STime
HKLM\Software\Gator.com\Gator
HKLM\Software\Gator.com\Gator\dyn
HKLM\Software\Gator.com\Gator\dyn\GCH
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#St artTime
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#Ol destTime
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#30 7-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#30 7-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#30 7-400
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#30 7-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#29 7-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#29 7-bytes
HKLM\Software\Gator.com\Gator\dyn\GUS
HKLM\Software\Gator.com\Gator\dyn\GUS#TC
HKLM\Software\Gator.com\Gator\dyn\GUS#_BWHist
HKLM\Software\Gator.com\Gator\stat
HKLM\Software\Gator.com\Gator\stat#Guid
HKLM\Software\Gator.com\GInternet
HKLM\Software\Gator.com\GInternet\Proxy
HKLM\Software\Gator.com\GInternet\Proxy#Enabled
HKLM\Software\Gator.com\PDP
HKLM\Software\Gator.com\PDP\Install
HKLM\Software\Gator.com\trickles
HKLM\Software\Gator.com\trickles\Trickle Thread
HKLM\Software\Gator.com\trickles\Trickle Thread\cmeii
HKLM\Software\Gator.com\trickles\Trickle Thread\cmeii\gatorcme.gator.com:80/gatorcme/appsenc/aquatica3_2100.zip
HKLM\Software\Gator.com\trickles\Trickle Thread\cmeii\gatorcme.gator.com:80/gatorcme/appsenc/aquatica3_2100.zip#AccumFile
HKLM\Software\Gator.com\trickles\Trickle Thread\cmeii\gatorcme.gator.com:80/gatorcme/appsenc/aquatica3_2100.zip#UrlSize
HKLM\Software\Gator.com\trickles\Trickle Thread\cmeii\gatorcme.gator.com:80/gatorcme/appsenc/aquatica3_2100.zip#UrlTime
HKLM\Software\Gator.com\trickles\TRICKLER_6106
HKLM\Software\Gator.com\trickles\TRICKLER_6106\Tri ckler
HKLM\Software\Gator.com\trickles\TRICKLER_6106\Tri ckler\trickle.gator.com:80/download/trickler6.cfg
HKLM\Software\Gator.com\trickles\TRICKLER_6106\Tri ckler\trickle.gator.com:80/download/trickler6.cfg#AccumFile
HKLM\Software\Gator.com\trickles\TRICKLER_6106\Tri ckler\trickle.gator.com:80/download/trickler6.cfg#UrlSize
HKLM\Software\Gator.com\trickles\TRICKLER_6106\Tri ckler\trickle.gator.com:80/download/trickler6.cfg#UrlTime
Trojan.Net-AVP/AVT
HKLM\Software\Microsoft\Windows\CurrentVersion\Run #WinAVX [ C:\WINDOWS\system32\WinAvXX.exe ]
HKU\S-1-5-21-1783020033-223171952-2399564081-1003\Software\Microsoft\Windows\CurrentVersion\Run #WinAVX [ C:\WINDOWS\system32\WinAvXX.exe ]
Malware.Awola/Rel
HKU\S-1-5-21-1783020033-223171952-2399564081-1003\Software\Microsoft\Windows\CurrentVersion\Run #Microsft Windows Adapter 5.1.3013 [ C:\Documents and Settings\Owner\Application Data\ymfoh.exe ]
Trojan.Downloader-Gen/HanOnVt
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP91\A0033524.INI
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP91\A0033531.INI
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP91\A0034528.INI
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP91\A0034537.INI
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP91\A0034542.INI
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP91\A0035542.INI
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP91\A0035831.INI
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP91\A0035848.INI
C:\WINDOWS\SYSTEM32\HANONVT.INI
Trojan.Smitfraud Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP91\A0034536.EXE

**evilfantasy** · #4 26th Oct 2009, 10:10

Thank you.

Download DDS from |HERE| or |HERE| or |HERE| and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

blade2buddy · #5 26th Oct 2009, 10:23

=========== Log 1 =======================

DDS (Ver_09-09-29.01) - NTFSx86
Run by Owner at 11:19:39.45 on Mon 10/26/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.247.35 [GMT -6:00]
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Documents and Settings\Owner\Desktop\dds.com
============== Pseudo HJT Report ===============
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uWindow Title = Microsoft Internet Explorer provided by Verizon Online
mDefault_Page_URL = hxxp://verizon.yahoo.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/verizon/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/verizon/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mWinlogon: Shell=Explorer.exe c:\windows\system32\printer.exe
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: Verizon Yahoo! Sidebar: {51085e3d-a958-42a2-a6be-a6a9b0baf276} - c:\program files\yahoo!\browser\ysidebarIE.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [Amenbait] c:\docume~1\owner\applic~1\adminf~1\tons proc.exe
uRun: [DoNotDelete] c:\windows\system32\explore.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [<NO NAME>]
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PortAOL.exe" -Run
mRun: [ML1HelperStartUp] c:\progra~1\midnig~1\ML1HEL~1.EXE /partner ML1
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [YOP] c:\progra~1\yahoo!\yop\yop.exe /autostart
mRun: [DoNotDelete] c:\windows\system32\explore.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Love default global mess] c:\documents and settings\all users\application data\great coal love default\Skip Dart.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [OOBEDDDemise] cmd /x /c erase c:\windows\system32\oobe\msoobe.exe
uPolicies-explorer: NoControlPanel = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\hanonvt.ini
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
============= SERVICES / DRIVERS ===============
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-10-25 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-10-25 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-10-25 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgn tflt.sys [2009-10-25 55656]
S1 smtpdrv;smtpdrv;c:\windows\system32\drivers\smtpdr v.sys --> c:\windows\system32\drivers\smtpdrv.sys [?]
S2 NNServ;NNServ;"c:\program files\newdotnet\nnrun.exe" "c:\program files\newdotnet\nncore.dll" servicestart --> c:\program files\newdotnet\nnrun.exe [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
=============== Created Last 30 ================
2009-10-26 07:03 411,368 a------- c:\windows\system32\deploytk.dll
2009-10-26 07:03 73,728 a------- c:\windows\system32\javacpl.cpl
2009-10-26 06:15 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-10-26 06:15 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-26 06:14 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-26 06:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-26 06:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-26 05:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-10-26 05:14 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-10-26 05:14 <DIR> --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-10-26 05:13 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-10-26 05:04 <DIR> --d----- c:\program files\CCleaner
2009-10-25 08:10 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-10-25 08:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-10-25 08:10 <DIR> --d----- c:\program files\Avira
2009-10-25 08:10 <DIR> --d----- c:\program files\adminfivemedia
2009-10-25 06:26 14,848 ac------ c:\windows\system32\dllcache\kbdhid.sys
2009-10-25 06:26 14,848 a------- c:\windows\system32\drivers\kbdhid.sys
2009-10-18 06:22 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-10-18 06:22 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-10-18 06:22 9,600 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-10-18 06:22 9,600 a------- c:\windows\system32\drivers\hidusb.sys
==================== Find3M ====================
2007-05-21 17:15 994 a------- c:\docume~1\owner\applic~1\wklnhst.dat
============= FINISH: 11:20:15.25 ===============

================ Log 2 ===================

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-09-29.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 5/20/2005 4:31:57 PM
System Uptime: 10/26/2009 7:11:42 AM (4 hours ago)
Motherboard: Intel Corporation | | D845GVSR
Processor: Intel(R) Celeron(R) CPU 2.80GHz | J2E1 | 2800/133mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 73 GiB total, 68.068 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 1.638 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP90: 10/11/2007 4:56:50 PM - Installed WMI ODBC Driver
RP91: 10/25/2009 8:09:02 AM - Avira AntiVir Personal - 10/25/2009 8:08
RP92: 10/26/2009 5:14:06 AM - Installed SUPERAntiSpyware Free Edition
RP93: 10/26/2009 7:02:43 AM - Installed Java(TM) 6 Update 16
==== Installed Programs ======================
Adobe Reader 6.0
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOL Spyware Protection
AOL Toolbar
AOL You've Got Pictures Screensaver
Aquatica3 (Downloading)
Avira AntiVir Personal - Free Antivirus
BigFix
CCleaner (remove only)
CiD Help
DashBar Toolbar
Digital Media Reader
GAIN
HijackThis 2.0.2
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Adapters and Drivers
Java(TM) 6 Update 16
Learn2 Player (Uninstall Only)
Malwarebytes' Anti-Malware
McAfee AntiSpyware
Microsoft .NET Framework 1.1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
Midnight Lake Screensaver
MSN
MSXML 4.0 SP2 (KB927978)
oobeFlagNetscape0
PowerDVD
Pure Networks Port Magic
QuickTime
RealPlayer Basic
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
SoftV92 Data Fax Modem with SmartCP
SP2 Connection Patcher
SUPERAntiSpyware Free Edition
Verizon Online
Verizon Yahoo! Applications
Viewpoint Media Player
WebFldrs XP
Windows Backup Utility
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Player 11
Yahoo! Toolbar
==== Event Viewer Messages From Past Week ========
10/26/2009 6:47:57 AM, error: PlugPlayManager [11] - The device Root\LEGACY_RUNTIME2\0000 disappeared from the system without first being prepared for removal.
10/26/2009 6:47:57 AM, error: PlugPlayManager [11] - The device Root\LEGACY_RUNTIME\0000 disappeared from the system without first being prepared for removal.
10/25/2009 9:52:06 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avgio avipbb Fips intelppm SAVRT SAVRTPEL smtpdrv SPBBCDrv ssmdrv SYMTDI
10/25/2009 9:52:06 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
10/25/2009 9:51:23 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
10/25/2009 9:50:52 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/25/2009 9:42:39 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
10/25/2009 9:42:39 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/25/2009 9:41:34 AM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/25/2009 9:41:33 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
10/25/2009 9:41:06 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: smtpdrv
10/25/2009 9:41:06 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the NNServ service to connect.
10/25/2009 9:41:06 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AOL Connectivity Service service to connect.
10/25/2009 9:41:06 AM, error: Service Control Manager [7000] - The AOL Connectivity Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/25/2009 9:03:01 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\drivers\ip6fw.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.2180.
10/25/2009 7:58:12 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
10/25/2009 7:58:12 AM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\Owner\LOCALS~1\Temp\RarSFX0\basic\setu p.exe. Reference error message: The operation completed successfully. .
10/25/2009 7:58:12 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
10/25/2009 7:53:30 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm SAVRT SAVRTPEL SPBBCDrv SYMTDI
10/25/2009 6:42:14 AM, error: E100B [5001] - Intel(R) PRO/100 VE Network Connection : Could not allocate the resources necessary for operation.
10/25/2009 10:26:29 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
10/25/2009 10:21:08 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SAVRT SAVRTPEL smtpdrv SPBBCDrv ssmdrv SYMTDI Tcpip
10/25/2009 10:21:08 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
10/25/2009 10:21:08 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/25/2009 10:21:08 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/25/2009 10:21:08 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
==== End Of File ===========================

**evilfantasy** · #6 26th Oct 2009, 10:41

There is a lot of adware that needs to be uninstalled.

Go to Add or Remove Programs and uninstall:

CiD Help
DashBar Toolbar
GAIN
Midnight Lake Screensaver
Viewpoint Media Player

----------

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

Driver::
smtpdrv
NNServ

DDS::
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/verizon/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/verizon/*http://www.yahoo.com
mWinlogon: Shell=Explorer.exe c:\windows\system32\printer.exe
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Amenbait] c:\docume~1\owner\applic~1\adminf~1\tons proc.exe
uRun: [DoNotDelete] c:\windows\system32\explore.exe
mRun: [<NO NAME>] 
mRun: [DoNotDelete] c:\windows\system32\explore.exe
mRun: [Love default global mess] c:\documents and settings\all users\application data\great coal love default\Skip Dart.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
uPolicies-explorer: NoControlPanel = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
AppInit_DLLs: c:\windows\system32\hanonvt.ini

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

blade2buddy · #7 26th Oct 2009, 11:08

Ummmmm, in case it wasn't clear from the original problem description, I can't get at "Add or remove programs" because I can't get at the control panel. I'm assuming this is part of the mess that the ad/spy/trojans created.

Do you have a recommended alternative? Can I use CCleaner uninstall instead?

**evilfantasy** · #8 26th Oct 2009, 11:21

Sorry. Run ComboFix first. Then try Add/Remove Programs again.

blade2buddy · #9 26th Oct 2009, 11:55

Here is the result of ComboFix. Control Panel is back (Thanks). I'll do the program uninstalls now.

ComboFix 09-10-25.02 - Owner 10/26/2009 12:35.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.247.118 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\owner\applic~1\adminf~1\tons proc.exe
c:\documents and settings\all users\application data\great coal love default\Skip Dart.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\malwarebytes' anti-malware\mbam.exe
c:\program files\messenger\msmsgs.exe
c:\recycler\S-1-5-21-3351966399-2989048848-267923825-1003
D:\Autorun.inf
----- BITS: Possible infected sites -----
hxxp://66.246.72.173
hxxp://67.18.114.98
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NNSERV
-------\Legacy_SMTPDRV
-------\Service_NNServ
-------\Service_smtpdrv

((((((((((((((((((((((((( Files Created from 2009-09-26 to 2009-10-26 )))))))))))))))))))))))))))))))
.
2009-10-26 13:03 . 2009-10-26 13:02 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-26 12:15 . 2009-10-26 12:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-10-26 12:15 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-26 12:14 . 2009-10-26 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-26 12:14 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-26 12:14 . 2009-10-26 18:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-26 11:14 . 2009-10-26 11:14 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-26 11:14 . 2009-10-26 11:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-26 11:14 . 2009-10-26 11:14 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-10-26 11:13 . 2009-10-26 11:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-26 11:04 . 2009-10-26 11:04 -------- d-----w- c:\program files\CCleaner
2009-10-25 16:01 . 2009-10-25 16:01 -------- d-s---w- c:\documents and settings\Administrator\UserData
2009-10-25 14:10 . 2009-03-30 16:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-10-25 14:10 . 2009-07-28 22:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-25 14:10 . 2009-02-13 18:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-10-25 14:10 . 2009-02-13 18:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-10-25 14:10 . 2009-10-25 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-10-25 14:10 . 2009-10-25 14:10 -------- d-----w- c:\program files\Avira
2009-10-25 14:10 . 2009-10-25 14:10 -------- d-----w- c:\program files\adminfivemedia
2009-10-25 12:26 . 2004-08-04 04:58 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-10-25 12:26 . 2004-08-04 04:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-10-18 12:22 . 2001-08-17 19:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-10-18 12:22 . 2001-08-17 19:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-10-18 12:22 . 2001-08-17 20:02 9600 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2009-10-18 12:22 . 2001-08-17 20:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-10-26 18:39 . 2007-08-03 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\great coal love default
2009-10-26 18:39 . 2005-11-13 04:04 -------- d-----w- c:\documents and settings\Owner\Application Data\adminfivemedia
2009-10-26 13:04 . 2004-11-02 01:23 -------- d-----w- c:\program files\Java
2009-10-26 12:08 . 2005-11-13 04:03 -------- d-----w- c:\program files\SP2 Connection Patcher
2009-10-26 03:02 . 2005-10-08 00:51 -------- d-----w- c:\program files\Yahoo!
2009-10-26 03:02 . 2005-10-08 01:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo
2009-10-26 02:24 . 2005-10-08 00:46 -------- d-----w- c:\program files\Common Files\Verizon Online
2009-10-26 02:24 . 2005-10-07 18:35 -------- d-----w- c:\program files\NetZero
2009-10-26 02:07 . 2004-11-02 01:21 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-25 15:01 . 2005-06-02 04:07 -------- d-----w- c:\program files\Midnight Lake Screensaver
2009-10-25 15:01 . 2005-06-02 03:29 -------- d-----w- c:\program files\DashBar
2009-10-25 15:01 . 2005-05-30 14:29 -------- d-----w- c:\program files\Common Files\GMT
2009-10-25 15:01 . 2005-05-30 14:29 -------- d-----w- c:\program files\Common Files\CMEII
2009-10-25 15:00 . 2005-11-13 04:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SecondDumbHoldDale
.
------- Sigcheck -------
[-] 2007-08-11 . 3BB4B08619C111C7BE8BDA07AA0DE6A2 . 359040 . . [5.1.2600.2180] . . c:\windows\system32\drivers\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-02-20 . EB98D5E55321CEFD803E8173DBB000DB . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2005-11-13 . 14143695E27B2718DEE96EA2E50428B3 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2007-02-28 . 5A5C8DB4AA962C714C8371FBDF189FC9 . 2182144 . . [5.1.2600.3093] . . c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
[-] 2007-02-28 . 582A8DBAA58C3B1F176EB2817DAEE77C . 2180352 . . [5.1.2600.3093] . . c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2007-02-28 . 582A8DBAA58C3B1F176EB2817DAEE77C . 2180352 . . [5.1.2600.3093] . . c:\windows\system32\ntoskrnl.exe
[-] 2007-02-28 . 582A8DBAA58C3B1F176EB2817DAEE77C . 2180352 . . [5.1.2600.3093] . . c:\windows\system32\dllcache\ntoskrnl.exe
[-] 2006-12-19 . CEF243F6DEFD20BE4ADDE26C7ECACB54 . 2182016 . . [5.1.2600.3051] . . c:\windows\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
[-] 2006-12-19 . 8F0DEAB1F81FB83F9C5995853CE48B9F . 2180352 . . [5.1.2600.3051] . . c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
[-] 2005-03-02 . 28187802B7C368C0D3AEF7D4C382AABB . 2179456 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[-] 2005-03-02 . 4D4CF2C14550A4B7718E94A6E581856E . 2179328 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB929338$\ntoskrnl.exe
[7] 2004-08-04 . CE218BC7088681FAA06633E218596CA7 . 2180992 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0009\DriverFi les\i386\ntoskrnl.exe
[7] 2004-08-04 . CE218BC7088681FAA06633E218596CA7 . 2180992 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
[-] 2006-02-15 00:30 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\Driver Cache\i386\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\system32\drivers\aec.sys
[7] 2004-08-04 06:39 . 841F385C6CFAF66B58FBD898722BB4F0 . 142464 . . [5.1.2601.2078] . . c:\windows\$NtUninstallKB900485$\aec.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-10-18 135168]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOL SP Scheduler.exe" [2005-04-11 83544]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-06-30 99480]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.ex e" [2006-07-21 129536]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2005-06-17 401408]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-26 149280]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce]
"OOBEDDDemise"="erase" [X]
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\Yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe
"c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/25/2009 8:10 AM 108289]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]
--- Other Services/Drivers In Memory ---
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-10-26 c:\windows\Tasks\A954ED28918B60EC.job
- c:\docume~1\owner\applic~1\adminf~1\Phone Size Link.exe [2005-11-13 14:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/verizon/*http://www.yahoo.com
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-ML1HelperStartUp - c:\progra~1\MIDNIG~1\ML1HEL~1.EXE
AddRemove-Aquatica3_GAIN - c:\program files\Common Files\GMT\GUninstaller.exe
AddRemove-DashBar - c:\progra~1\DashBar\DBUninstaller.exe
AddRemove-MidnightLake - c:\progra~1\Midnight Lake Screensaver\ML1Uninstaller.exe
AddRemove-{4A840E1E-2BA8-47de-923E-0E00407EB530} - c:\program files\Common Files\GMT\GMT.exe
AddRemove-binbagsseek - c:\docume~1\Owner\APPLIC~1\ADMINF~1\tons proc.exe

************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-26 12:44
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once
OOBEDDDemise = cmd /x /c erase c:\windows\System32\oobe\msoobe.exe???<??????????u ?w????????????????????0?????<?p$??????????????i?wi s?????????<?????????????????????????????????*&?|p? ???&?|??-w????????????????????????????1???????????????????? ???d??????????????|?&?|?????&?|B%?|??????????????? ????|?$?|??????-wC
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(640)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
- - - - - - - > 'explorer.exe'(488)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\combofix\CF1911.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\windows\system32\wscntfy.exe
c:\combofix\PEV.cfxxe
.
************************************************** ************************
.
Completion time: 2009-10-26 12:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-26 18:49
Pre-Run: 72,956,461,056 bytes free
Post-Run: 73,129,594,880 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 5204D0FAAAE6AB4CD6CFD7B070DECE69

blade2buddy · #10 26th Oct 2009, 12:05

Surprisingly (perhaps not to you) when I ran ComboFix it appears to have removed traces of most of the programs you wanted me to install. When I went into Add/Remove Programs, the only one I could find is Viewpoint Media Player. I was able to Uninstall it without any problem. (Thanks)

What's next?