Cannot get rid of this problem

schlepsa · August 14, 2010

I hope I did all the right things. These are the logs that the instructions said I should post.

DDS_file.txt

ark.zip

Attach.zip

protection_log_2010_08_13.zip

Elise · August 14, 2010

Hello ,

And My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
Double click on Combofix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

schlepsa · August 17, 2010

ComboFix 10-08-16.03 - Tom Kiernan 08/17/2010 3:22.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.420 [GMT -4:00]

Running from: c:\documents and settings\Tom Kiernan\Desktop\ComboFix.exe

AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\ynh.dx

Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected

Restored copy from - Kitty had a snack

.

((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))

.

2010-08-14 03:03 . 2010-08-14 03:03 -------- d-----w- c:\documents and settings\Tom Kiernan\Application Data\Bitrix Security

2010-08-14 02:51 . 2010-08-14 02:52 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Bitrix Security

2010-08-14 02:51 . 2010-08-14 02:51 47616 ----a-w- c:\documents and settings\NetworkService\Application Data\Bitrix Security\lyenrei96.dll

2010-08-13 04:46 . 2010-08-13 09:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\hpjqfjbxp

2010-08-13 01:52 . 2010-08-13 04:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\gyqsfgjvv

2010-08-12 05:23 . 2010-08-12 05:23 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\hulqbnydh

2010-08-11 09:04 . 2010-08-12 04:52 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\xmyvsgcxx

2010-08-10 05:35 . 2010-08-10 05:35 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll

2010-08-10 05:35 . 2010-08-10 05:35 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll

2010-08-10 05:35 . 2010-08-10 05:35 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll

2010-08-10 05:35 . 2010-08-10 05:35 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll

2010-08-10 05:35 . 2010-08-10 05:35 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll

2010-08-10 05:35 . 2010-08-10 05:35 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll

2010-08-10 05:35 . 2010-08-10 05:35 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll

2010-08-10 05:35 . 2010-08-10 05:35 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

2010-08-10 05:35 . 2010-08-10 05:35 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

2010-08-10 05:34 . 2010-08-10 05:34 -------- d-----w- c:\program files\Common Files\xing shared

2010-08-07 09:15 . 2010-08-07 09:15 -------- d-----w- c:\windows\system32\wbem\Repository

2010-08-06 17:14 . 2010-08-07 00:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\fsbfnkois

2010-07-30 19:40 . 2010-08-07 09:00 -------- d--h--w- c:\documents and settings\Tom Kiernan\Recent(2)

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-17 04:56 . 2010-01-14 23:07 -------- d-----w- c:\documents and settings\Tom Kiernan\Application Data\HPAppData

2010-08-17 04:31 . 2009-03-20 10:21 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-08-10 05:35 . 2005-12-19 15:26 -------- d-----w- c:\program files\Common Files\Real

2010-08-10 05:34 . 2005-12-19 15:26 -------- d-----w- c:\program files\Real

2010-08-10 05:34 . 2008-06-03 05:36 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-08-08 09:17 . 2007-12-27 09:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-08-07 09:14 . 2010-07-02 22:08 -------- d-----w- c:\program files\Microsoft Silverlight

2010-08-07 09:14 . 2010-07-02 22:51 -------- d-----w- c:\program files\AOL 9.5

2010-08-07 09:14 . 2010-06-26 23:18 -------- d-----w- c:\program files\Common Files\aolshare

2010-08-07 09:13 . 2005-12-19 15:25 -------- d-----w- c:\program files\Common Files\AOL

2010-08-07 09:13 . 2010-07-02 22:54 -------- d-----w- c:\program files\Common Files\aolback

2010-08-07 09:13 . 2010-07-02 23:11 -------- d-----w- c:\program files\AOL 9.5a

2010-07-30 01:22 . 2008-03-31 06:43 -------- d-----w- c:\program files\Google

2010-07-02 23:11 . 2005-12-19 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL

2010-06-30 04:15 . 2010-06-30 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\WD_SmartWareCommon

2010-06-30 04:07 . 2010-06-30 04:07 -------- d-----w- c:\documents and settings\Tom Kiernan\Application Data\Western Digital

2010-06-30 04:07 . 2010-06-30 04:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital

2010-06-30 04:06 . 2010-06-30 04:06 -------- d-----w- c:\program files\Western Digital

2010-06-28 18:18 . 2010-02-18 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-06-28 08:54 . 2010-06-28 08:54 -------- d-----w- c:\program files\SystemRequirementsLab

2010-06-28 07:48 . 2005-12-19 15:03 19456 ----a-w- c:\windows\system32\IntelNic.dll

2010-06-26 23:18 . 2010-06-26 23:18 -------- d-----w- c:\program files\AOL 9.1

2010-06-26 23:18 . 2010-06-26 23:18 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP

2010-06-26 23:17 . 2010-06-18 23:42 -------- d-----w- c:\program files\AOL 9.0

2010-06-26 23:17 . 2010-06-18 23:42 -------- d-----w- c:\program files\Common Files\aolshare(2)

2010-06-26 23:17 . 2006-01-13 00:24 -------- d-----w- c:\documents and settings\Tom Kiernan\Application Data\AOL

2010-06-23 00:26 . 2008-08-14 07:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Gtek

2010-06-20 22:59 . 2006-04-17 05:23 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads

2010-06-08 09:30 . 2010-06-08 09:30 503808 ----a-w- c:\documents and settings\Tom Kiernan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-254e96c4-n\msvcp71.dll

2010-06-08 09:30 . 2010-06-08 09:30 499712 ----a-w- c:\documents and settings\Tom Kiernan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-254e96c4-n\jmc.dll

2010-06-08 09:30 . 2010-06-08 09:30 348160 ----a-w- c:\documents and settings\Tom Kiernan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-254e96c4-n\msvcr71.dll

2010-06-08 09:30 . 2010-06-08 09:30 61440 ----a-w- c:\documents and settings\Tom Kiernan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3a7cd31d-n\decora-sse.dll

2010-06-08 09:30 . 2010-06-08 09:30 12800 ----a-w- c:\documents and settings\Tom Kiernan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3a7cd31d-n\decora-d3d.dll

2009-02-02 05:49 . 2006-01-03 06:29 104 --sh--r- c:\windows\system32\41C1A329B6.sys

2009-02-02 05:49 . 2006-01-03 06:29 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]

"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-02-06 2021400]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-10 202256]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-19 24576]

WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-1-21 2057536]

WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2010-1-21 9136960]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=

"c:\\Program Files\\Common Files\\AOL\\1206437017\\EE\\AOLServiceHost.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=

"c:\\Program Files\\AOL 9.1\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2/6/2009 11:56 AM 106208]

R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2/6/2009 11:57 AM 727720]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/31/2009 8:21 PM 304464]

R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [1/21/2010 4:24 PM 110592]

R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/31/2009 8:21 PM 20952]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/31/2009 8:21 PM 38224]

S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]

S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys --> c:\windows\system32\DRIVERS\TMPassthru.sys [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [6/30/2010 12:07 AM 11520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{511C90F4-EF8B-42A0-B7EC-CF5D1B129D5E}]

2010-08-14 02:51 47616 ----a-w- c:\documents and settings\NetworkService\Application Data\Bitrix Security\lyenrei96.dll

.

Contents of the 'Scheduled Tasks' folder

2010-08-11 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-08-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3428795369-2916434407-691850253-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

2010-08-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3428795369-2916434407-691850253-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.dell4me.com/myway

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:6522

uInternet Settings,ProxyOverride = <local>

IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html

Trusted Zone: aebn.net\template

Trusted Zone: aebn.net\www

Trusted Zone: intuit.com

Trusted Zone: intuit.com\ttlc

Trusted Zone: turbotax.com

FF - ProfilePath - c:\documents and settings\Tom Kiernan\Application Data\Mozilla\Firefox\Profiles\sxn7evim.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - prefs.js: keyword.URL - hxxp://www.google.com/firefox

FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: protocol-handler.warn-external.dnUpdate - falsec:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe

HKLM-Run-ACD mPower Tools - c:\program files\ACD Systems\mPower Tools\1.0\mPowerTools.exe

AddRemove-12133444-BF36-4d4e-B7FB-A3424C645DE4 - c:\program files\GemMaster\uninstallgemmaster.exe

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-17 03:37

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3428795369-2916434407-691850253-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

.

Completion time: 2010-08-17 03:45:29

ComboFix-quarantined-files.txt 2010-08-17 07:45

Pre-Run: 45,680,697,344 bytes free

Post-Run: 46,405,971,968 bytes free

- - End Of File - - 2E9684716E36B9B64091AA9809A4F3AF

Thank you for answering my message. I'm no computer whiz so I'll ask your forgiveness beforehand if I screw things up. I ran the Combifix as you directed. The first time I tried it, the computer froze. I had to shut down and start over. It worked the second time. The file above is the result. When the Combifix was finished I restarted my eset antivirus. That's where I am right now. Thank you again for the help.

Elise · August 17, 2010

Well done!

You had a nasty rootkit on board. Its gone now, but please consider the following information.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and cleaned, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

CF-SCRIPT

-------------

We need to execute a CF-script.

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

schlepsa · August 18, 2010

Wow! This was worse than I ever thought. I think the smart thing to do is wipe the whole thing clean and start over. That seems like a monumental job right now so I'll clean the system using the instructions you provided. I got home late from work tonight so I'll hold off until tomorrow evening.

I'd like to make a donation but I'm not sure I should do so online until this mess is cleaned up. Any suggestions in that area?

Elise · August 18, 2010

Hi there,

Yes, a reformat/reinstall can be time consuming and in that case its indeed best to go through with the cleanup for now.

As for any online transaction: the actual threat is gone, and if you changed any sensitive data, you should be reasonably fine (of course you always should keep in mind not to store passwords and the link on your computer and only use secure sites).

I'll wait for your log.

schlepsa · August 19, 2010

ComboFix 10-08-18.04 - Tom Kiernan 08/19/2010 17:15:04.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.450 [GMT -4:00]

Running from: c:\documents and settings\Tom Kiernan\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Tom Kiernan\Desktop\CFScript.txt

AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

.

((((((((((((((((((((((((( Files Created from 2010-07-19 to 2010-08-19 )))))))))))))))))))))))))))))))

.

2010-08-17 08:01 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe