Jump to content

Malwarebytes won't run


Recommended Posts

I have been trying to run Malwarebytes to attempt to fix a problem on my computer. Everywhere I look I'm told to run Malwarebytes program. I have downloaded and installed this several times each time getting

VbAccelerator SGrid II Control

Run-time Error 0

and

Malwarebytes' Anti-Malware

Run-time Error 440

Automation Error

I get both error one after another multiple times. I have installed and uninstalled the software, purchased the software and still get the same results. Now I've posted to get help after reading about someone else's similar problem and running combofix and am posting the HJT log here for assistance. Please let me know if you would like to see the combofix log as well.

Any help would be appreciated!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:04:46 PM, on 8/5/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe

C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\UAService7.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\IPSBHO.DLL

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NSWosCheck] "C:\Program Files\Norton SystemWorks Basic Edition\osCheck.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk

O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.washingtonpost.com

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://pccheckup.dellfix.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab

O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games

Link to post
Share on other sites

  • Root Admin

Okay please disable your Anti-Virus and run this scanner and post back the log.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Here is the combo-fix log and the hjt.

ComboFix 09-08-09.04 - Deborah Chase 08/09/2009 20:07.3.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.244 [GMT -4:00]

Running from: c:\documents and settings\Deborah Chase\Desktop\ComboFix.exe

AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\recycler\NPROTECT

c:\recycler\NPROTECT\00000000.DAT

c:\recycler\NPROTECT\00000001.DAT

c:\recycler\NPROTECT\00000002

c:\recycler\NPROTECT\00000003

c:\recycler\NPROTECT\00000004

c:\recycler\NPROTECT\00000005

c:\recycler\NPROTECT\00000006

c:\recycler\NPROTECT\00000007

c:\recycler\NPROTECT\00000009

c:\recycler\NPROTECT\00000011

c:\recycler\NPROTECT\00000012

c:\recycler\NPROTECT\00000013

c:\recycler\NPROTECT\00000014

c:\recycler\NPROTECT\00000017.DAT

c:\recycler\NPROTECT\00000018

c:\recycler\NPROTECT\00000019

c:\recycler\NPROTECT\00000020

c:\recycler\NPROTECT\00000021

c:\recycler\NPROTECT\00000022

c:\recycler\NPROTECT\00000023

c:\recycler\NPROTECT\00000024

c:\recycler\NPROTECT\00000027

c:\recycler\NPROTECT\00000028.DAT

c:\recycler\NPROTECT\00000029

c:\recycler\NPROTECT\00000030

c:\recycler\NPROTECT\00000031

c:\recycler\NPROTECT\00000032

c:\recycler\NPROTECT\00000033

c:\recycler\NPROTECT\00000034

c:\recycler\NPROTECT\00000035

c:\recycler\NPROTECT\00000036

c:\recycler\NPROTECT\00000037

c:\recycler\NPROTECT\00000038

c:\recycler\NPROTECT\00000039

c:\recycler\NPROTECT\00000040

c:\recycler\NPROTECT\00000041

c:\recycler\NPROTECT\00000042

c:\recycler\NPROTECT\00000043

c:\recycler\NPROTECT\00000044

c:\recycler\NPROTECT\00000045

c:\recycler\NPROTECT\00000048

c:\recycler\NPROTECT\00000049

c:\recycler\NPROTECT\00000051

c:\recycler\NPROTECT\00000052

c:\recycler\NPROTECT\00000053

c:\recycler\NPROTECT\00000054

c:\recycler\NPROTECT\00000055

c:\recycler\NPROTECT\00000056

c:\recycler\NPROTECT\00000057

c:\recycler\NPROTECT\00000058

c:\recycler\NPROTECT\00000059

c:\recycler\NPROTECT\00000060

c:\recycler\NPROTECT\00000061

c:\recycler\NPROTECT\00000062

c:\recycler\NPROTECT\00000063

c:\recycler\NPROTECT\00000064

c:\recycler\NPROTECT\00000065

c:\recycler\NPROTECT\00000066

c:\recycler\NPROTECT\00000067

c:\recycler\NPROTECT\00000069

c:\recycler\NPROTECT\00000070

c:\recycler\NPROTECT\00000072

c:\recycler\NPROTECT\00000073

c:\recycler\NPROTECT\00000074

c:\recycler\NPROTECT\00000077

c:\recycler\NPROTECT\00000078

c:\recycler\NPROTECT\00000079

c:\recycler\NPROTECT\00000080

c:\recycler\NPROTECT\00000082

c:\recycler\NPROTECT\00000084

c:\recycler\NPROTECT\00000085

c:\recycler\NPROTECT\00000086

c:\recycler\NPROTECT\00000087

c:\recycler\NPROTECT\00000088

c:\recycler\NPROTECT\00000090

c:\recycler\NPROTECT\00000091

c:\recycler\NPROTECT\00000092

c:\recycler\NPROTECT\00000093

c:\recycler\NPROTECT\00000094

c:\recycler\NPROTECT\00000095

c:\recycler\NPROTECT\00000096

c:\recycler\NPROTECT\00000097

c:\recycler\NPROTECT\00000099

c:\recycler\NPROTECT\00000100

c:\recycler\NPROTECT\00000101

c:\recycler\NPROTECT\00000103

c:\recycler\NPROTECT\00000104

c:\recycler\NPROTECT\00000105

c:\recycler\NPROTECT\00000107

c:\recycler\NPROTECT\00000108

c:\recycler\NPROTECT\00000109

c:\recycler\NPROTECT\00000110

c:\recycler\NPROTECT\00000111

c:\recycler\NPROTECT\00000112

c:\recycler\NPROTECT\00000114

c:\recycler\NPROTECT\00000115

c:\recycler\NPROTECT\00000116

c:\recycler\NPROTECT\00000117

c:\recycler\NPROTECT\00000118

c:\recycler\NPROTECT\00000120

c:\recycler\NPROTECT\00000121

c:\recycler\NPROTECT\00000122

c:\recycler\NPROTECT\00000123

c:\recycler\NPROTECT\00000124

c:\recycler\NPROTECT\00000125

c:\recycler\NPROTECT\00000126

c:\recycler\NPROTECT\00000127

c:\recycler\NPROTECT\00000128

c:\recycler\NPROTECT\00000129

c:\recycler\NPROTECT\00000130

c:\recycler\NPROTECT\00000131

c:\recycler\NPROTECT\00000132

c:\recycler\NPROTECT\00000136

c:\recycler\NPROTECT\00000137.dat

c:\recycler\NPROTECT\00000138.dat

c:\recycler\NPROTECT\00000139.dat

c:\recycler\NPROTECT\00000140.dat

c:\recycler\NPROTECT\00000142

c:\recycler\NPROTECT\00000143

c:\recycler\NPROTECT\00000144

c:\recycler\NPROTECT\00000145

c:\recycler\NPROTECT\00000146

c:\recycler\NPROTECT\00000147

c:\recycler\NPROTECT\00000148

c:\recycler\NPROTECT\00000149

c:\recycler\NPROTECT\00000150

c:\recycler\NPROTECT\00000151

c:\recycler\NPROTECT\00000152

c:\recycler\NPROTECT\00000154

c:\recycler\NPROTECT\00000156.dat

c:\recycler\NPROTECT\00000158

c:\recycler\NPROTECT\00000159.bat

c:\recycler\NPROTECT\00000160

c:\recycler\NPROTECT\00000161

c:\recycler\NPROTECT\00000162

c:\recycler\NPROTECT\00000163

c:\recycler\NPROTECT\00000164

c:\recycler\NPROTECT\00000165

c:\recycler\NPROTECT\00000167

c:\recycler\NPROTECT\00000168

c:\recycler\NPROTECT\00000170

c:\recycler\NPROTECT\00000171

c:\recycler\NPROTECT\00000172

c:\recycler\NPROTECT\00000175

c:\recycler\NPROTECT\00000176

c:\recycler\NPROTECT\00000177

c:\recycler\NPROTECT\00000178

c:\recycler\NPROTECT\00000179

c:\recycler\NPROTECT\00000180

c:\recycler\NPROTECT\00000181

c:\recycler\NPROTECT\00000183

c:\recycler\NPROTECT\00000184

c:\recycler\NPROTECT\00000185

c:\recycler\NPROTECT\00000186

c:\recycler\NPROTECT\00000187

c:\recycler\NPROTECT\00000188

c:\recycler\NPROTECT\00000189

c:\recycler\NPROTECT\00000190

c:\recycler\NPROTECT\00000191

c:\recycler\NPROTECT\00000192

c:\recycler\NPROTECT\00000193

c:\recycler\NPROTECT\00000194

c:\recycler\NPROTECT\00000195

c:\recycler\NPROTECT\00000196

c:\recycler\NPROTECT\00000197

c:\recycler\NPROTECT\00000198

c:\recycler\NPROTECT\00000199

c:\recycler\NPROTECT\00000200

c:\recycler\NPROTECT\00000201

c:\recycler\NPROTECT\00000202

c:\recycler\NPROTECT\00000203

c:\recycler\NPROTECT\00000204

c:\recycler\NPROTECT\00000205

c:\recycler\NPROTECT\00000206

c:\recycler\NPROTECT\00000208

c:\recycler\NPROTECT\00000209

c:\recycler\NPROTECT\00000210

c:\recycler\NPROTECT\00000211

c:\recycler\NPROTECT\00000213

c:\recycler\NPROTECT\00000216

c:\recycler\NPROTECT\00000217

c:\recycler\NPROTECT\00000218

c:\recycler\NPROTECT\00000219

c:\recycler\NPROTECT\00000220

c:\recycler\NPROTECT\00000221.dat

c:\recycler\NPROTECT\00000222

c:\recycler\NPROTECT\00000223.bad

c:\recycler\NPROTECT\00000224

c:\recycler\NPROTECT\00000225

c:\recycler\NPROTECT\00000226

c:\recycler\NPROTECT\00000227

c:\recycler\NPROTECT\00000228

c:\recycler\NPROTECT\00000235

c:\recycler\NPROTECT\00000236.md5

c:\recycler\NPROTECT\NPROTECT.LOG

.

((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))

.

2009-08-09 22:55 . 2009-07-27 18:24 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090809.020\NAVENG32.DLL

2009-08-09 22:55 . 2009-07-27 18:24 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090809.020\NAVEX32A.DLL

2009-08-09 22:55 . 2009-07-27 08:00 87888 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090809.020\NAVENG.SYS

2009-08-09 22:55 . 2009-07-27 08:00 875728 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090809.020\NAVEX15.SYS

2009-08-09 22:55 . 2009-07-27 18:25 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090809.020\EECTRL.SYS

2009-08-09 22:55 . 2009-07-27 18:25 101936 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090809.020\ERASER.SYS

2009-08-09 22:55 . 2009-07-27 18:24 259368 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090809.020\ECMSVR32.DLL

2009-08-09 22:55 . 2009-07-27 18:24 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090809.020\CCERASER.DLL

2009-08-05 19:04 . 2009-08-05 19:04 -------- d-----w- c:\program files\Trend Micro

2009-08-04 23:06 . 2009-08-04 23:06 152576 ----a-w- c:\documents and settings\Deborah Chase\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

2009-08-02 03:23 . 2009-08-02 03:23 -------- d-----w- C:\Symlogs

2009-08-02 02:10 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-08-02 02:10 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-08-02 02:10 . 2009-08-02 02:10 -------- d-----w- c:\program files\Common Files\PC Tools

2009-08-02 02:10 . 2009-08-02 02:10 -------- d-----w- c:\program files\PC Tools AntiVirus

2009-08-01 19:14 . 2009-08-01 19:14 -------- d-----w- c:\program files\ERUNT

2009-07-30 22:33 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\Scxpx86.dll

2009-07-30 22:32 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSXpx86.sys

2009-07-30 22:32 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSxpx86.dll

2009-07-30 22:32 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSvix86.sys

2009-07-30 22:32 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSviA64.sys

2009-07-30 04:34 . 2009-07-31 01:51 -------- d-----w- c:\documents and settings\Deborah Chase\Local Settings\Application Data\Deployment

2009-07-30 02:22 . 2009-07-30 02:22 -------- d-----w- c:\program files\Lavalys

2009-07-27 21:19 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090722.001\IDSXpx86.sys

2009-07-27 21:19 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090722.001\Scxpx86.dll

2009-07-27 21:19 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090722.001\IDSxpx86.dll

2009-07-27 21:19 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090722.001\IDSvix86.sys

2009-07-27 21:19 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090722.001\IDSviA64.sys

2009-07-27 18:28 . 2009-07-27 18:24 554352 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll

2009-07-27 18:27 . 2009-07-27 18:25 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys

2009-07-27 18:24 . 2009-07-27 18:24 1290592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll

2009-07-27 18:24 . 2009-07-27 18:24 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll

2009-07-27 18:24 . 2009-07-27 18:24 796016 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll

2009-07-27 18:23 . 2009-07-27 18:23 -------- d-----w- c:\windows\system32\drivers\NIS

2009-07-27 18:23 . 2009-07-27 18:23 -------- d-----w- c:\program files\Windows Sidebar

2009-07-27 18:10 . 2009-07-27 18:10 -------- d-----w- c:\program files\NortonInstaller

2009-07-27 17:44 . 2009-07-27 17:44 10134 ----a-r- c:\documents and settings\Deborah Chase\Application Data\Microsoft\Installer\{4CCC7F68-A437-4559-A840-F5E010934951}\ARPPRODUCTICON.exe

2009-07-27 16:06 . 2009-07-27 16:06 -------- d-----w- c:\documents and settings\Deborah Chase\Local Settings\Application Data\Symantec

2009-07-26 01:11 . 2009-08-02 20:24 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-07-25 06:45 . 2009-08-04 15:27 -------- d-----w- c:\program files\Norton SystemWorks Basic Edition

2009-07-25 06:08 . 2009-07-27 18:24 -------- d-----w- c:\program files\Norton Internet Security

2009-07-25 06:06 . 2009-07-27 18:26 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2009-07-25 06:06 . 2009-07-27 18:26 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-07-25 06:06 . 2009-07-27 18:26 -------- d-----w- c:\program files\Symantec

2009-07-25 02:25 . 2009-07-25 02:25 -------- d-sh--w- c:\documents and settings\Administrator.DEB\PrivacIE

2009-07-25 02:24 . 2009-07-25 02:24 -------- d-sh--w- c:\documents and settings\Administrator.DEB\IETldCache

2009-07-23 16:18 . 2009-07-23 16:18 152576 ----a-w- c:\documents and settings\Deborah Chase\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

2009-07-23 15:54 . 2009-07-23 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink

2009-07-23 15:53 . 2009-07-23 15:53 -------- d-----w- c:\program files\Common Files\CyberLink

2009-07-23 15:51 . 2009-07-25 03:06 53319 ----a-w- c:\documents and settings\All Users\Application Data\TEMP\{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}\PostBuild.exe

2009-07-11 19:34 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSXpx86.sys

2009-07-11 19:34 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys

2009-07-11 19:34 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll

2009-07-11 19:34 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.dll

2009-07-11 19:34 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSviA64.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-06 00:45 . 2009-01-29 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-04 23:08 . 2004-05-29 02:43 -------- d-----w- c:\program files\Java

2009-08-02 20:49 . 2005-07-28 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-08-01 22:46 . 2007-05-05 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software

2009-08-01 22:46 . 2004-05-29 02:52 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-07-27 19:00 . 2004-07-02 21:25 -------- d-----w- c:\documents and settings\Deborah Chase\Application Data\Symantec

2009-07-27 18:26 . 2009-07-25 06:06 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2009-07-27 18:26 . 2009-07-25 06:06 7386 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2009-07-27 18:23 . 2004-05-29 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-07-27 18:22 . 2009-06-13 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-07-27 18:21 . 2004-05-29 03:04 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-07-27 18:11 . 2009-06-13 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2009-07-27 17:44 . 2004-07-02 21:41 -------- d-----w- c:\program files\HP

2009-07-26 23:59 . 2009-03-16 01:59 -------- d-----w- c:\documents and settings\Deborah Chase\Application Data\OfficeUpdate12

2009-07-25 09:23 . 2008-11-10 18:44 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-25 03:41 . 2009-01-29 13:55 -------- d-----w- c:\documents and settings\Deborah Chase\Application Data\Malwarebytes

2009-07-25 03:07 . 2004-05-29 02:54 -------- d-----w- c:\program files\CyberLink

2009-07-23 15:51 . 2008-07-10 16:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-07-23 15:50 . 2003-12-06 03:11 353576 ----a-w- c:\windows\system32\msvcr71.dll

2009-07-23 15:50 . 2003-12-06 03:11 505128 ----a-w- c:\windows\system32\msvcp71.dll

2009-07-23 15:50 . 2003-12-06 03:09 29480 ----a-w- c:\windows\system32\msxml3a.dll

2009-07-05 12:31 . 2009-07-05 12:31 -------- d-----w- c:\program files\OverDrive Media Console

2009-07-03 17:09 . 2004-08-24 00:32 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-30 00:07 . 2009-03-16 01:59 264704 ------w- c:\documents and settings\Deborah Chase\Application Data\OfficeUpdate12\oudetect.dll

2009-06-16 14:36 . 2002-08-29 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2002-08-29 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-14 10:16 . 2009-06-13 21:22 -------- d-----w- c:\program files\Windows Installer Clean Up

2009-06-13 21:22 . 2008-08-05 02:47 -------- d-----w- c:\program files\MSECache

2009-06-13 19:35 . 2009-01-31 00:01 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-06-13 19:23 . 2009-06-13 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-06-13 16:40 . 2004-07-02 21:25 108664 ----a-w- c:\documents and settings\Deborah Chase\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-13 15:32 . 2007-02-02 05:08 -------- d-----w- c:\program files\Yahoo!

2009-06-13 12:52 . 2009-06-13 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings

2009-06-03 19:09 . 2003-05-30 14:00 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-06-03 00:49 . 2009-06-03 00:49 390664 ----a-w- c:\documents and settings\Deborah Chase\Application Data\Real\RealPlayer\Update\RealPlayer11.exe

.

((((((((((((((((((((((((((((( SnapShot@2009-08-05_18.53.39 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-09 20:36 . 2009-08-09 20:36 16384 c:\windows\temp\Perflib_Perfdata_890.dat

+ 2009-08-10 00:19 . 2009-08-10 00:19 16384 c:\windows\temp\Perflib_Perfdata_56c.dat

+ 2009-03-20 15:48 . 2009-03-20 15:48 183808 c:\windows\Installer\b4b05.msp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-28 323584]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-12-06 50688]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]

"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-08 185896]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]

"NSWosCheck"="c:\program files\Norton SystemWorks Basic Edition\osCheck.exe" [2007-09-18 25472]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ ????\0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"YahooAUService"=2 (0x2)

"VSS"=3 (0x3)

"RSVP"=3 (0x3)

"aspnet_state"=3 (0x3)

"Apple Mobile Device"=2 (0x2)

"Alerter"=2 (0x2)

"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [8/1/2009 10:10 PM 130936]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\NIS\1005000.087\SymEFA.sys [7/27/2009 2:25 PM 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\SYSTEM32\DRIVERS\NIS\1005000.087\BHDrvx86.sys [7/27/2009 2:25 PM 258608]

R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\NIS\1005000.087\cchpx86.sys [7/27/2009 2:25 PM 482352]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSXpx86.sys [7/30/2009 6:32 PM 276344]

R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe [7/27/2009 2:25 PM 115560]

R2 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~2\NORTON~1\NPROTECT.EXE [11/3/2005 11:08 PM 95832]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/6/2009 8:33 PM 101936]

S3 MotDev;Motorola Inc. USB Device;c:\windows\SYSTEM32\DRIVERS\motodrv.sys [8/26/2008 3:22 PM 42112]

S4 Intacd;Intacd; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12

.

Contents of the 'Scheduled Tasks' folder

2009-08-03 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job

- c:\program files\Norton SystemWorks Basic Edition\OBC.exe [2007-09-18 12:22]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mWindow Title = Microsoft Internet Explorer provided by Comcast

mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/yme/*http://www.yahoo.com

Trusted Zone: washingtonpost.com\www

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} - hxxp://www.shockwave.com/content/ballistik/sis/slgwebinstall.cab

DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} - hxxp://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-09 20:20

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???8???????x???x???????????x???????????x???x????????????????????????????????????????D?w????????????7??w????x???x??????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Norton Internet Security]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.5.0.135\diMaster.dll\" /prefetch:1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(576)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE

c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\SYSTEM32\nvsvc32.exe

c:\windows\SYSTEM32\hpzipm12.exe

c:\progra~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.exe

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\windows\SYSTEM32\UAService7.exe

c:\program files\Dell\Support\Alert\bin\NotifyAlert.exe

c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE

c:\windows\SYSTEM32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-08-10 20:32 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-10 00:32

ComboFix2.txt 2009-08-06 01:39

ComboFix3.txt 2009-08-05 19:02

ComboFix4.txt 2009-07-25 04:23

Pre-Run: 93,263,249,408 bytes free

Post-Run: 94,134,419,456 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4

442 --- E O F --- 2009-08-09 11:28

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:38:04 PM, on 8/9/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe

C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\UAService7.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\IPSBHO.DLL

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NSWosCheck] "C:\Program Files\Norton SystemWorks Basic Edition\osCheck.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk

O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.washingtonpost.com

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://pccheckup.dellfix.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab

O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games

Link to post
Share on other sites

  • Root Admin

STEP 01

Disable the Spybot Tea Timer - DO NOT continue until you've disabled the Tea Timer

Disable Teatimer

First step:

  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on
    Resident Protection
    , then Right click the Spybot icon again and make sure
    Resident Protection
    is now
    Unchecked
    . The Spybot icon in the System tray should now be now colorless.

  • If you have Version 1.4, Click on
    Exit Spybot S&D Resident

Second step, For Either Version :
  • Open Spybot S&D
  • Click
    Mode
    , choose
    Advanced Mode

  • Go To the bottom of the Vertical Panel on the Left, Click
    Tools

  • then, also in left panel, click
    Resident
    shows a red/white shield.

  • If your firewall raises a question, say
    OK

  • In the
    Resident protection status
    frame,
    Uncheck
    the box labeled
    Resident "Tea-Timer"(Protection of over-all system settings) active

  • OK
    any prompts.

  • Use
    File, Exit
    to terminate Spybot

  • Reboot
    your machine for the changes to take effect.

STEP 02

Write down or verify your installation key in your email for Symantec and temporarily fully uninstall the product.

(we will re-install it soon so make sure you have the media to reinstall it and the activation key)

STEP 03

Once you have completed steps 1 and 2 then run the following.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

STEP 04

Please download the following scanning tool. GMER

  • Download the randomly named EXE and copy the file to your Desktop. Remember what its name is.
  • Double click on
    random named exe file
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. Click on the
    SCAN
    button and DO NOT use the computer while it's scanning.

  • Once the scan is done click on the
    SAVE
    button and browse to your Desktop and save the file as
    GMER.LOG

  • Zip up the
    GMER.LOG
    file and save it as
    gmerlog.zip
    and attach it to your reply post.

  • DO NOT
    directly post this log into a reply. You
    MUST
    attach it as a .ZIP file.

  • Click OK and quit the GMER program.

Link to post
Share on other sites

Here are the CombFix file and HJT. The GMER file is attached as instructed.

ComboFix 09-08-10.05 - Deborah Chase 08/11/2009 6:53.4.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.225 [GMT -4:00]

Running from: c:\documents and settings\Deborah Chase\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\recycler\NPROTECT

c:\windows\Installer\347d13.msi

.

((((((((((((((((((((((((( Files Created from 2009-07-11 to 2009-08-11 )))))))))))))))))))))))))))))))

.

2009-08-05 19:04 . 2009-08-05 19:04 -------- d-----w- c:\program files\Trend Micro

2009-08-04 23:06 . 2009-08-04 23:06 152576 ----a-w- c:\documents and settings\Deborah Chase\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

2009-08-02 03:23 . 2009-08-02 03:23 -------- d-----w- C:\Symlogs

2009-08-02 02:10 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-08-02 02:10 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-08-02 02:10 . 2009-08-02 02:10 -------- d-----w- c:\program files\Common Files\PC Tools

2009-08-02 02:10 . 2009-08-02 02:10 -------- d-----w- c:\program files\PC Tools AntiVirus

2009-08-01 19:14 . 2009-08-01 19:14 -------- d-----w- c:\program files\ERUNT

2009-07-30 04:34 . 2009-07-31 01:51 -------- d-----w- c:\documents and settings\Deborah Chase\Local Settings\Application Data\Deployment

2009-07-30 02:22 . 2009-07-30 02:22 -------- d-----w- c:\program files\Lavalys

2009-07-27 17:44 . 2009-07-27 17:44 10134 ----a-r- c:\documents and settings\Deborah Chase\Application Data\Microsoft\Installer\{4CCC7F68-A437-4559-A840-F5E010934951}\ARPPRODUCTICON.exe

2009-07-27 16:06 . 2009-08-11 10:42 -------- d-----w- c:\documents and settings\Deborah Chase\Local Settings\Application Data\Symantec

2009-07-26 01:11 . 2009-08-02 20:24 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-07-25 06:06 . 2009-08-11 10:45 -------- d-----w- c:\program files\Symantec

2009-07-25 02:25 . 2009-07-25 02:25 -------- d-sh--w- c:\documents and settings\Administrator.DEB\PrivacIE

2009-07-25 02:24 . 2009-07-25 02:24 -------- d-sh--w- c:\documents and settings\Administrator.DEB\IETldCache

2009-07-23 16:18 . 2009-07-23 16:18 152576 ----a-w- c:\documents and settings\Deborah Chase\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

2009-07-23 15:54 . 2009-07-23 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink

2009-07-23 15:53 . 2009-07-23 15:53 -------- d-----w- c:\program files\Common Files\CyberLink

2009-07-23 15:51 . 2009-07-25 03:06 53319 ----a-w- c:\documents and settings\All Users\Application Data\TEMP\{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}\PostBuild.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-11 10:46 . 2004-05-29 03:04 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-08-11 10:45 . 2004-05-29 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-08-11 10:37 . 2009-06-13 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2009-08-06 00:45 . 2009-01-29 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-04 23:08 . 2004-05-29 02:43 -------- d-----w- c:\program files\Java

2009-08-02 20:49 . 2005-07-28 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-08-01 22:46 . 2007-05-05 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software

2009-08-01 22:46 . 2004-05-29 02:52 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-07-27 19:00 . 2004-07-02 21:25 -------- d-----w- c:\documents and settings\Deborah Chase\Application Data\Symantec

2009-07-27 18:22 . 2009-06-13 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-07-27 17:44 . 2004-07-02 21:41 -------- d-----w- c:\program files\HP

2009-07-26 23:59 . 2009-03-16 01:59 -------- d-----w- c:\documents and settings\Deborah Chase\Application Data\OfficeUpdate12

2009-07-25 09:23 . 2008-11-10 18:44 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-25 03:41 . 2009-01-29 13:55 -------- d-----w- c:\documents and settings\Deborah Chase\Application Data\Malwarebytes

2009-07-25 03:07 . 2004-05-29 02:54 -------- d-----w- c:\program files\CyberLink

2009-07-23 15:51 . 2008-07-10 16:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-07-23 15:50 . 2003-12-06 03:11 353576 ----a-w- c:\windows\system32\msvcr71.dll

2009-07-23 15:50 . 2003-12-06 03:11 505128 ----a-w- c:\windows\system32\msvcp71.dll

2009-07-23 15:50 . 2003-12-06 03:09 29480 ----a-w- c:\windows\system32\msxml3a.dll

2009-07-05 12:31 . 2009-07-05 12:31 -------- d-----w- c:\program files\OverDrive Media Console

2009-07-03 17:09 . 2004-08-24 00:32 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-30 00:07 . 2009-03-16 01:59 264704 ------w- c:\documents and settings\Deborah Chase\Application Data\OfficeUpdate12\oudetect.dll

2009-06-16 14:36 . 2002-08-29 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2002-08-29 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-14 10:16 . 2009-06-13 21:22 -------- d-----w- c:\program files\Windows Installer Clean Up

2009-06-13 21:22 . 2008-08-05 02:47 -------- d-----w- c:\program files\MSECache

2009-06-13 19:35 . 2009-01-31 00:01 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-06-13 19:23 . 2009-06-13 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-06-13 16:40 . 2004-07-02 21:25 108664 ----a-w- c:\documents and settings\Deborah Chase\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-13 15:32 . 2007-02-02 05:08 -------- d-----w- c:\program files\Yahoo!

2009-06-13 12:52 . 2009-06-13 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings

2009-06-03 19:09 . 2003-05-30 14:00 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-06-03 00:49 . 2009-06-03 00:49 390664 ----a-w- c:\documents and settings\Deborah Chase\Application Data\Real\RealPlayer\Update\RealPlayer11.exe

.

((((((((((((((((((((((((((((( SnapShot@2009-08-05_18.53.39 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-11 10:50 . 2009-08-11 10:50 16384 c:\windows\temp\Perflib_Perfdata_e8.dat

+ 2009-03-20 15:48 . 2009-03-20 15:48 183808 c:\windows\Installer\b4b05.msp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-28 323584]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-12-06 50688]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]

"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-08 185896]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ ????\0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"YahooAUService"=2 (0x2)

"VSS"=3 (0x3)

"RSVP"=3 (0x3)

"aspnet_state"=3 (0x3)

"Apple Mobile Device"=2 (0x2)

"Alerter"=2 (0x2)

"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [8/1/2009 10:10 PM 130936]

S3 MotDev;Motorola Inc. USB Device;c:\windows\SYSTEM32\DRIVERS\motodrv.sys [8/26/2008 3:22 PM 42112]

S4 Intacd;Intacd; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mWindow Title = Microsoft Internet Explorer provided by Comcast

mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/yme/*http://www.yahoo.com

Trusted Zone: washingtonpost.com\www

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} - hxxp://www.shockwave.com/content/ballistik/sis/slgwebinstall.cab

DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} - hxxp://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-11 07:02

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???8???????x???x???????????x???????????x???x????????????????????????????????????????D?w????????????7??w????x???x??????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2009-08-11 7:06

ComboFix-quarantined-files.txt 2009-08-11 11:06

ComboFix2.txt 2009-08-10 00:32

ComboFix3.txt 2009-08-06 01:39

ComboFix4.txt 2009-08-05 19:02

ComboFix5.txt 2009-08-11 10:52

Pre-Run: 94,270,242,816 bytes free

Post-Run: 94,768,054,272 bytes free

160 --- E O F --- 2009-08-09 11:28

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:08:03 AM, on 8/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\UAService7.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk (file missing)

O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.washingtonpost.com

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://pccheckup.dellfix.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab

O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games

gmerlog.zip

gmerlog.zip

Link to post
Share on other sites

  • Root Admin

Please run the following now.

1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel or from the Start Menu

2. Restart your computer (very important).

3. Download and run this utility. http://www.malwarebytes.org/mbam-clean.exe

4. It will ask to restart your computer (please allow it to).

5. After the computer restarts, install the latest version from here. http://www.malwarebytes.org/mbam-download.php

Note: You will need to reactivate the program using the license you were sent if this is a paid version

Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.

Then do a Quick Scan and post back that log or if you run into any errors please let me know what they are.

Link to post
Share on other sites

I have done exactly as instructed and still get

VbAccelerator SGrid II Control

Run-time Error 0

and

Malwarebytes' Anti-Malware

Run-time Error 440

Automation Error

they pop up sequentially at least four times starting at the end of the installation. Then when I try to run the software it pops up again 4 more times. This is exactly what was happening when I first posted. Nothing has changed. Did I do something wrong? ;)

Link to post
Share on other sites

  • Root Admin

No, it's just that some setting or software on your computer seems to be in conflict with installing MBAM and we need to try and track down what might be causing that.

Let me review a few things and I'll try to post back some more things to try later tonight if you still want to continue. This may require temporarily removing your Anti-Virus so make sure you have the registration key for the product if needed.

Link to post
Share on other sites

No, it's just that some setting or software on your computer seems to be in conflict with installing MBAM and we need to try and track down what might be causing that.

Let me review a few things and I'll try to post back some more things to try later tonight if you still want to continue. This may require temporarily removing your Anti-Virus so make sure you have the registration key for the product if needed.

Thanks Ron,

I definitely want to continue, please. Your help is very much appreciated.

In an earlier instruction you had me remove Norton which I did and have been accessing the Internet in Safe Mode w/Networking to get your further instructions.

Thanks for all your help.

Deb

Link to post
Share on other sites

  • Root Admin

Okay then, let's get started. Please read all of the steps and if possible print them out so that you know what you're doing before you get started.

If you have any questions or concerns before getting started please let me know.

STEP 01

Well the removal process from Symantec leaves a LOT of stuff behind and still active. Please download and run this tool to fully remove Symantec AV

ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe

STEP 02

Please FULLY remove Spybot - Search & Destroy for now. (we can reinstall when all done)

STEP 03

Please FULLY remove PC Tools for now. (we can reinstall when all done)

STEP 04

Please click on START - RUN and type in the exact command below or start regedit and go to this key and remove it.

CMD /K REG DELETE "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services"

STEP 05

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C NETSH FIREWALL RESET

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C NETSH int ip reset c:\resetlog.txt

STEP 06

RESTART THE COMPUTER now

STEP 07

Once that is completely done removing then run the CCleaner again.

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup222_slim.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 08

Please start the computer in NORMAL mode and uninstall, roll back Internet Explorer to IE7 or IE6 whichever was the previous version before the IE8 update.

STEP 09

Reconfigure Windows XP to show hidden files:

To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.

* Double-click on the My Computer icon.

* Select the Tools menu and click Folder Options.

* After the new window appears select the View tab.

* Put a checkmark in the checkbox labeled Display the contents of system folders.

* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.

* Remove the checkmark from the checkbox labeled Hide protected operating system files.

* Press the Apply button and then the OK button and exit My Computer.

* Now your computer is configured to show all hidden files.

STEP 10

1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.

2. Restart your computer (very important).

3. Download and run this utility. http://www.malwarebytes.org/mbam-clean.exe

4. It will ask to restart your computer (please allow it to).

5. Then browse to these locations and delete the folders if they still exist.

C:\Documents and Settings\All Users\Application Data\Malwarebytes

C:\Documents and Settings\username\Application Data\Malwarebytes

C:\Program Files\Malwarebytes' Anti-Malware

STEP 11

Please download and run the following fix from Microsoft How do I restore security settings to the default settings?

When completed please reboot your computer.

STEP 12

Service Pack 6 for Visual Basic 6.0: Run-Time Redistribution Pack (vbrun60sp6.exe)

Brief Description:

vbrun60sp6.exe is a self-extracting executable file that installs versions of the Microsoft Visual Basic run-time files required by all applications created with Visual Basic 6.0.

Download: vbrun60sp6.exe

STEP 13

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

RESTART THE COMPUTER NOW

STEP 14

Download and Update Java Runtime

The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 16.

  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java SE Runtime Environment (JRE) - JRE 6 Update 16 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says jre-6u16-windows-i586.exe and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  • Uncheck the Toolbar button (unless you want the toolbar)
  • Reboot your computer

STEP 15

Start in Normal mode and run the following Online AV scanner and post back the log please.

Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Anvirisus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Link to post
Share on other sites

Here you go.....I had trouble rolling back ie, but managed to get there. Also, I don't have anti-virus software without reinstalling Norton, so please let me know if there is something else I need to do before reinstalling Norton.

JavaRa Log

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Aug 13 21:48:02 2009

Found and removed: C:\Documents and Settings\Deborah Chase\Application Data\Sun\Java\jre1.6.0_13

Found and removed: C:\Windows\System32\jpicpl32.cpl

Found and removed: SOFTWARE\Classes\JavaSoft.JavaBeansBridge

Found and removed: SOFTWARE\Classes\JavaSoft.JavaBeansBridge.1

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\javaw.Exe

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.4

Found and removed: Software\JavaSoft\Java2D\1.5.0_02

Found and removed: Software\JavaSoft\Java2D\1.5.0_04

Found and removed: Software\JavaSoft\Java2D\1.5.0_06

Found and removed: Software\JavaSoft\Java2D\1.5.0_09

Found and removed: SOFTWARE\Classes\JavaPlugin.150_09

Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\JavaPlugin.141

Found and removed: SOFTWARE\Classes\JavaPlugin.142

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.4.1

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.4.1

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\JavaPlugin.141

Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

Found and removed: C:\Program Files\JavaSoft

------------------------------------

Finished reporting.

Eset Log

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=6

# iexplore.exe=7.00.6000.16827 (vista_gdr.090226-1506)

# OnlineScanner.ocx=1.0.0.6048

# api_version=3.0.2

# EOSSerial=2dd81657286cd14abf01df58056b9b52

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-08-14 02:50:32

# local_time=2009-08-13 10:50:32 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# scanned=125866

# found=2

# cleaned=0

# scan_time=2546

C:\Documents and Settings\Deborah Chase\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx HTML/TrojanSpy.Bayfraud.CO trojan 00000000000000000000000000000000 I

C:\Documents and Settings\Deborah Chase\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Inbox.dbx multiple threats 00000000000000000000000000000000 I

Next???

Link to post
Share on other sites

  • Root Admin

Please run the following scanner so that I can see what it thinks is still possibly there.

Are you sure you ran STEPS 11 and 12 without any errors?

Did you use the special tool from Symantec to finish up the full removal?

What about step 8? Are you on IE6 now or IE7 ?

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.

    When done, DDS will open two (2) logs:

  1. DDS.txt

  2. Attach.txt

  • Save both reports to your desktop

  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

Please run the following scanner so that I can see what it thinks is still possibly there. Done, logs included although the attach.txt was supposed to be attached rather than included in the post. Please let me know if I need to repost.

Are you sure you ran STEPS 11 and 12 without any errors? Yes

Did you use the special tool from Symantec to finish up the full removal? I think so...I did exactly what your instructions said to do.

What about step 8? Are you on IE6 now or IE7 ? I am on IE7 now which was the version prior to upgrading to IE8

DDS (Ver_09-07-30.01) - NTFSx86

Run by Deborah Chase at 20:11:30.82 on Fri 08/14/2009

Internet Explorer: 7.0.5730.11

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.204 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\UAService7.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Deborah Chase\Desktop\dds.scr

C:\WINDOWS\SoftwareDistribution\Download\5d36f2aa7b9a0b7eeabfa4c3afb200cb\update\update.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uWindow Title = Microsoft Internet Explorer provided by Comcast

mStart Page = hxxp://www.google.com

mWindow Title = Microsoft Internet Explorer provided by Comcast

mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/yme/*http://www.yahoo.com

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRunOnce: [<NO NAME>] c:\program files\internet explorer\IEXPLORE.EXE http://www.symantec.com/techsupp/servlet/P...00001A.000000B7

mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe

mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [intelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [DVDSentry] c:\windows\system32\DSentry.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

uPolicies-explorer: NoViewOnDrive = 0 (0x0)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

Trusted Zone: washingtonpost.com\www

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://pccheckup.dellfix.com/sdccommon/download/tgctlcm.cab

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} - hxxp://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab

DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab

DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} - hxxp://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab

DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab

DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab

DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} - hxxp://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233345024093

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233238421843

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} - hxxp://www.shockwave.com/content/ballistik/sis/slgwebinstall.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab

DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} - hxxp://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab

DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab

DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Handler: G7PS - {9EACF0FB-4FC7-436E-989B-3197142AD979} - c:\windows\system32\G7PS.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-8-1 130936]

S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-8-11 66056]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-8-26 42112]

S4 Intacd;Intacd; [x]

S4 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]

=============== Created Last 30 ================

2009-08-13 22:03 <DIR> --d----- c:\program files\ESET

2009-08-13 21:58 73,728 a------- c:\windows\system32\javacpl.cpl

2009-08-13 21:44 <DIR> --d----- C:\msvb

2009-08-13 21:12 2,105,344 a------- c:\windows\system32\secsetup.sdb

2009-08-13 20:36 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx

2009-08-13 20:35 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll

2009-08-13 20:28 <DIR> --d----- c:\program files\CCleaner

2009-08-11 09:25 22 a------- C:\New Compressed (zipped) Folder.zip

2009-08-05 15:04 <DIR> --d----- c:\program files\Trend Micro

2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll

2009-08-01 23:23 <DIR> --d----- C:\Symlogs

2009-08-01 22:10 130,936 a------- c:\windows\system32\drivers\PCTCore.sys

2009-08-01 22:10 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys

2009-07-30 22:01 0 a------- c:\windows\exctrlst.INI

2009-07-29 22:25 45 a------- c:\windows\system32\initdebug.nfo

2009-07-29 22:22 <DIR> --d----- c:\program files\Lavalys

2009-07-25 00:20 <DIR> --d----- c:\windows\system32\dllcache\cache

2009-07-25 00:01 <DIR> a-dshr-- C:\cmdcons

2009-07-24 23:59 216,064 a------- c:\windows\PEV.exe

2009-07-24 23:59 161,792 a------- c:\windows\SWREG.exe

2009-07-24 23:59 98,816 a------- c:\windows\sed.exe

2009-07-23 11:53 <DIR> --d----- c:\program files\common files\CyberLink

2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll

==================== Find3M ====================

2009-08-13 21:58 411,368 a------- c:\windows\system32\deploytk.dll

2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll

2009-07-23 11:50 505,128 a------- c:\windows\system32\msvcp71.dll

2009-07-23 11:50 353,576 a------- c:\windows\system32\msvcr71.dll

2009-07-23 11:50 29,480 a------- c:\windows\system32\msxml3a.dll

2009-07-19 09:18 5,937,152 a------- c:\windows\system32\dllcache\cache\mshtml.dll

2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll

2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll

2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll

2009-07-13 23:43 286,208 a------- c:\windows\system32\dllcache\wmpdxm.dll

2009-07-03 13:09 915,456 a------- c:\windows\system32\dllcache\cache\wininet.dll

2009-07-03 13:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll

2009-07-03 13:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll

2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll

2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll

2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll

2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll

2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe

2009-06-12 08:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe

2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll

2009-06-10 10:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll

2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll

2009-06-10 09:19 2,066,432 -------- c:\windows\system32\dllcache\mstscax.dll

2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll

2009-06-10 02:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll

2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll

2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll

2009-02-20 23:41 34 a------- c:\documents and settings\deborah chase\jagex_runescape_preferences.dat

2005-08-04 22:37 22,502 a------- c:\docume~1\debora~1\applic~1\wklnhst.dat

2008-06-02 15:04 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008060220080603\index.dat

============= FINISH: 20:12:26.89 ===============

Attach.zip

Link to post
Share on other sites

  • Root Admin

STEP 01

Please click on START - RUN and type in or copy/paste the following into the run line and click OK

CMD /K SC DELETE PCTCore

Then let me know what it says.

STEP 02

Please click on START - RUN and type in or copy/paste the following into the run line and click OK

CMD /K SC DELETE YahooAUService

Then let me know what it says.

STEP 03

Please click on START - RUN and type in or copy/paste the following into the run line and click OK

CMD /K SC DELETE Intacd

Then let me know what it says.

STEP 04

Go into your Control Panel, Add/Remove and please remove the following software at least temporarily.

DVDSentry

ESET Online Scanner v3

Shockwave (I think this is the older version)

Windows Live OneCare safety scanner

STEP 05

Please click on START - RUN and type in or copy/paste the following into the run line and click OK

CMD /K reg query HKEY_LOCAL_MACHINE\SYSTEM\Setup /v SystemPartition

Then let me know what it says.

(it should look something like this)

HKEY_LOCAL_MACHINE\SYSTEM\Setup

SystemPartition REG_SZ \Device\HarddiskVolume1

STEP 06

Please download and run this program: Dial-a-fix

Let me know if any errors pop up or not.

dialafix.png

Link to post
Share on other sites

STEP 01

Please click on START - RUN and type in or copy/paste the following into the run line and click OK

CMD /K SC DELETE PCTCore

Then let me know what it says.

[sC] DeleteService SUCCESS

STEP 02

Please click on START - RUN and type in or copy/paste the following into the run line and click OK

CMD /K SC DELETE YahooAUService

Then let me know what it says.

[sC] DeleteService SUCCESS

STEP 03

Please click on START - RUN and type in or copy/paste the following into the run line and click OK

CMD /K SC DELETE Intacd

Then let me know what it says.

[sC] DeleteService SUCCESS

STEP 04

Go into your Control Panel, Add/Remove and please remove the following software at least temporarily.

DVDSentry

ESET Online Scanner v3

Shockwave (I think this is the older version)

Windows Live OneCare safety scanner

STEP 05

Please click on START - RUN and type in or copy/paste the following into the run line and click OK

CMD /K reg query HKEY_LOCAL_MACHINE\SYSTEM\Setup /v SystemPartition

Then let me know what it says.

(it should look something like this)

HKEY_LOCAL_MACHINE\SYSTEM\Setup

SystemPartition REG_SZ \Device\HarddiskVolume1

SystemPartition REG_SZ \Device\Harddisk Volume2

STEP 06

Please download and run this program: Dial-a-fix

Let me know if any errors pop up or not.

dialafix.png

Before the program ran a pop up came up with the following note:

regsvr32.exe was not found in C:\WINDOWS\System32. This will not affect Dial-a-fix but it will affect the installation of other programs. It is suggested that you extract this file from your installation media.

Link to post
Share on other sites

Do you have the Windows XP CD to expand that file back to the system or another computer running the same version of Windows that you can get a copy of regsvr32.exe and copy it to your system?

I don't have one available until Monday at the office but can't I get it online?

Link to post
Share on other sites

I don't have one available until Monday at the office but can't I get it online?

I ran a search for the file and found three instances of it already:

C:\I386

C:\WINDOWS\ServicePackFiles\i386

C:\ProgramFiles\Intuit\Quick books 2005\components\PConfig\Data1.cab

Can any of these be used?

Deb

Link to post
Share on other sites

Ron, thank you soooooo much!!! :rolleyes: That did the trick. I was able to install the program and ran a full scann with no infections. You are awsome! Thanks so much for your patience and persistence.

Is there anything else you would recommend I do?

Deb

Malwarebytes' Anti-Malware 1.40

Database version: 2636

Windows 5.1.2600 Service Pack 3

8/16/2009 7:52:48 PM

mbam-log-2009-08-16 (19-52-48).txt

Scan type: Full Scan (C:\|)

Objects scanned: 245108

Time elapsed: 34 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.