help with Random MSIE pages

jimkopke · November 8, 2010

You've heard it before. Several times a day I get bombarded with random website hits. They seem to get triggered when I open a google search, but also loads dozens of pages through the night. Previously, I have tried several different antivirus and malware programs which seem to slow it down for 24 hours or so, but then they start back up. I have followed your instructions which has brought me to this point and am attaching the logs as requested. The attach.txt file and ark.txt files have been zipped and attached to this post as attach.zip Thanks in advance for your help.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5014

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/3/2010 7:26:35 PM

mbam-log-2010-11-03 (19-26-35).txt

Scan type: Full scan (C:\|)

Objects scanned: 364963

Time elapsed: 1 hour(s), 1 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS (Ver_10-11-08.01) - NTFSx86

Run by Jim at 11:46:29.78 on Mon 11/08/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3061.2128 [GMT -7:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\18.1.0.37\ccSvcHst.exe

C:\Program Files\PDF Suite 2010\ConversionService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\18.1.0.37\ccSvcHst.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Common Files\AOL\1286184261\ee\AOLSoftware.exe

C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\dvd43\dvd43_tray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

C:\Program Files\AOL 9.0b\waol.exe

C:\Program Files\AOL 9.0b\shellmon.exe

C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe

C:\Documents and Settings\Jim\Desktop\777hhvd4.exe

C:\WINDOWS\System32\vssvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\Documents and Settings\Jim\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: PDF Suite Helper: {1ad61d5b-58a3-4592-9b34-dc84688ff805} - c:\program files\pdf suite 2010\PDFIEHelper.dll

BHO: IsoBuster Toolbar: {266fcdca-7bb3-4da7-b3bf-f845dea2ebd6} - c:\program files\isobuster\tbIso1.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\18.1.0.37\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\18.1.0.37\IPSBHO.DLL

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: PDF Suite Toolbar: {261f6a8b-7aaf-4bf5-8552-6610f4d67819} - c:\program files\pdf suite 2010\PDFIEPlugin.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\18.1.0.37\coIEPlg.dll

TB: IsoBuster Toolbar: {266fcdca-7bb3-4da7-b3bf-f845dea2ebd6} - c:\program files\isobuster\tbIso1.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

TB: {851552F5-B878-4B03-904F-2AD6A4CC8994} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [AOL Fast Start] "c:\program files\aol 9.0b\AOL.EXE" -b

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [yDecode] c:\program files\ydecode\yDecode.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [HostManager] c:\program files\common files\aol\1286184261\ee\AOLSoftware.exe

mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [switchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe

mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin

mRun: [yDecode] c:\program files\ydecode\yDecode.exe

mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe

StartupFolder: c:\docume~1\jim\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe

StartupFolder: c:\docume~1\jim\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab

DPF: {CF4A2C45-CB89-4018-94BB-C2CACB83A537} - hxxps://www.myremotemanager.com/myrm/device/xancamx.ocx

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: {600AAE40-FB2E-49AB-B088-41C29A750534} = 72.19.128.53,72.19.128.99

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jim\applic~1\mozilla\firefox\profiles\po7mzqvu.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage -

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\coffplgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\ipsffplgn\components\IPSFFPl.dll

FF - component: c:\documents and settings\jim\application data\mozilla\firefox\profiles\po7mzqvu.default\extensions\{ad55c869-668e-457c-b270-0cfb2f61116f}\components\FFExternalAlert.dll

FF - component: c:\documents and settings\jim\application data\mozilla\firefox\profiles\po7mzqvu.default\extensions\{ad55c869-668e-457c-b270-0cfb2f61116f}\components\RadioWMPCore.dll

FF - component: c:\program files\pdf suite 2010\firefoxextension\components\FFPDFConverter.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\nos\bin\np_gp.dll

FF - plugin: c:\program files\pdf suite 2010\firefoxextension\plugins\NPPdfExt.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R0 O1394B;OW 1394b Bus Filter Service;c:\windows\system32\drivers\o1394b.sys [2010-10-15 10112]

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2010-10-3 24064]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1201000.025\SymDS.sys [2010-10-12 339504]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1201000.025\SymEFA.sys [2010-10-12 666672]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20101029.001\BHDrvx86.sys [2010-11-1 692272]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1201000.025\Ironx86.sys [2010-10-12 134704]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-23 1375992]

R2 NIS;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\18.1.0.37\ccSvcHst.exe [2010-10-12 126904]

R2 PDF Suite 2010 Service;PDF Suite 2010 Service;c:\program files\pdf suite 2010\ConversionService.exe [2010-9-28 791360]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-12 102448]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20101104.004\IDSXpx86.sys [2010-10-19 341880]

R3 k57w2k;Broadcom NetLink Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2010-10-3 176640]

R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-9-23 15264]

R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20101108.002\NAVENG.SYS [2010-11-8 86064]

R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20101108.002\NAVEX15.SYS [2010-11-8 1371184]

S0 cerc6;cerc6; [x]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-9 136176]

S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-11-08 00:19:10 43952 ----a-r- c:\windows\system32\drivers\SymIM.sys

2010-11-07 22:56:35 -------- d-----w- c:\program files\active ports

2010-11-07 22:51:30 49664 ----a-w- c:\windows\unvise32.exe

2010-11-07 21:49:46 24983 ----a-w- c:\windows\system32\21494682841.dll

2010-11-06 14:32:43 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-11-05 19:30:39 -------- d-----w- c:\docume~1\jim\applic~1\CopyToDvd

2010-11-05 19:27:44 -------- d-----w- c:\docume~1\jim\locals~1\applic~1\ApplicationHistory

2010-11-05 19:27:18 -------- d-----w- c:\program files\Lantronix

2010-11-05 19:26:18 -------- d-----w- c:\windows\system32\URTTEMP

2010-11-05 19:18:51 -------- d-----w- C:\e74ce0d18378dfb83afaf1e93c276606

2010-11-03 16:56:37 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-11-03 14:14:48 -------- d-----w- c:\docume~1\jim\locals~1\applic~1\Sunbelt Software

2010-11-03 14:14:16 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{E961CE1B-C3EA-4882-9F67-F859B555D097}

2010-11-03 14:14:03 -------- d-----w- c:\program files\Lavasoft

2010-11-01 14:27:08 -------- d-----w- c:\docume~1\jim\applic~1\Malwarebytes

2010-11-01 14:27:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-01 14:27:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-01 14:27:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-01 14:27:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-11-01 08:43:40 -------- d-----w- c:\program files\trend micro

2010-10-31 00:28:32 -------- d-----w- c:\program files\common files\Data

2010-10-31 00:26:27 197632 ----a-w- c:\program files\common files\OnlineFilesManager.dll

2010-10-27 21:41:59 43264 ----a-r- c:\windows\system32\drivers\ser2pl.sys

2010-10-27 15:49:07 -------- d-----w- c:\docume~1\jim\locals~1\applic~1\Microsoft Help

2010-10-27 15:43:50 -------- d-----w- c:\docume~1\jim\locals~1\applic~1\PCHealth

2010-10-26 22:01:19 -------- d-----w- c:\windows\system32\NtmsData

2010-10-24 10:59:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\vsosdk

2010-10-19 14:56:03 -------- d-----w- c:\docume~1\jim\applic~1\Office Genuine Advantage

2010-10-19 09:05:22 -------- d-----w- c:\windows\system32\XPSViewer

2010-10-19 09:04:49 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll

2010-10-19 09:04:35 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2010-10-19 09:04:35 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2010-10-19 09:04:35 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2010-10-19 09:04:35 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2010-10-19 09:04:35 575488 ------w- c:\windows\system32\xpsshhdr.dll

2010-10-19 09:04:35 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2010-10-19 09:04:35 1676288 ------w- c:\windows\system32\xpssvcs.dll

2010-10-19 09:04:35 117760 ------w- c:\windows\system32\prntvpt.dll

2010-10-19 09:04:35 -------- d-----w- C:\9000a4901a3e329d7f

2010-10-18 20:24:58 -------- d-----w- c:\docume~1\jim\applic~1\StageManager.BD092818F67280F4B42B04877600987F0111B594.1

2010-10-18 20:24:58 -------- d-----w- c:\docume~1\jim\applic~1\Adobe Mini Bridge CS5

2010-10-18 17:12:21 -------- d-----w- c:\docume~1\jim\applic~1\PDF Software

2010-10-17 17:43:27 -------- d--h--w- C:\BJPrinter

2010-10-17 07:39:27 -------- d-----w- c:\docume~1\jim\locals~1\applic~1\Temp

2010-10-16 06:50:09 -------- d-----w- c:\docume~1\jim\locals~1\applic~1\Conduit

2010-10-16 06:47:36 -------- d-----w- c:\docume~1\jim\locals~1\applic~1\IsoBuster

2010-10-16 06:47:35 -------- d-----w- c:\program files\IsoBuster

2010-10-16 06:38:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\1Click DVD Copy

2010-10-16 01:01:19 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys

2010-10-16 01:01:19 43904 ----a-w- c:\windows\system32\drivers\sbp2port.sys

2010-10-16 00:44:51 10112 ----a-w- c:\windows\system32\drivers\o1394b.sys

2010-10-16 00:44:51 -------- d-----w- c:\windows\drivers

2010-10-15 10:31:38 18816 ----a-w- c:\windows\system32\drivers\dvd43llh.sys

2010-10-15 05:44:55 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys

2010-10-15 05:44:55 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

2010-10-15 05:42:24 7680 ----a-w- c:\windows\system32\CNMVS5p.DLL

2010-10-15 05:42:24 50176 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPP5p.DLL

2010-10-15 05:42:24 17920 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPD5p.DLL

2010-10-15 05:42:24 113152 ----a-w- c:\windows\system32\CNMLM5p.DLL

2010-10-15 05:42:22 86016 ----a-w- c:\windows\system32\CNMCP5p.exe

2010-10-14 06:25:48 1024 ---h--r- c:\windows\system32\NTIDBD32.dll

2010-10-14 06:25:20 1024 ---h--r- c:\windows\system32\NTIBUN4.dll

2010-10-14 06:24:49 692224 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iKernel.dll

2010-10-14 06:24:49 57344 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\ctor.dll

2010-10-14 06:24:49 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\DotNetInstaller.exe

2010-10-14 06:24:49 237568 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iscript.dll

2010-10-14 06:24:49 155648 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iuser.dll

2010-10-14 06:24:48 163972 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iGdi.dll

2010-10-14 06:24:47 282756 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\setup.dll

2010-10-14 06:24:45 226816 ------w- c:\windows\system32\htvcdsvcd.ax

2010-10-14 06:24:09 1024 ---h--r- c:\windows\system32\NTIMPEG2.dll

2010-10-14 06:24:09 1024 ---h--r- c:\windows\system32\NTIFCD3.dll

2010-10-14 06:24:09 1024 ---h--r- c:\windows\system32\NTICDMK7.dll

2010-10-14 06:24:04 6912 ----a-w- c:\windows\system32\drivers\NTIDrvr.sys

2010-10-14 06:14:31 87608 ----a-w- c:\docume~1\jim\applic~1\inst.exe

2010-10-14 06:14:31 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys

2010-10-14 06:14:31 47360 ----a-w- c:\docume~1\jim\applic~1\pcouffin.sys

2010-10-14 06:14:24 102439 ----a-w- c:\windows\system32\sipr3260.dll

2010-10-14 06:14:23 65602 ----a-w- c:\windows\system32\cook3260.dll

2010-10-14 06:14:23 626688 ----a-w- c:\windows\system32\vp7vfw.dll

2010-10-14 06:14:23 217127 ----a-w- c:\windows\system32\drv43260.dll

2010-10-14 06:14:23 208935 ----a-w- c:\windows\system32\drv33260.dll

2010-10-14 06:14:23 176165 ----a-w- c:\windows\system32\drv23260.dll

2010-10-14 03:04:59 -------- d-----w- c:\program files\Duplicate Finder

2010-10-14 01:11:45 -------- d-----w- c:\windows\system32\appmgmt

2010-10-14 00:12:49 665424 ----a-w- c:\windows\system32\wmv8dmoe.dll

2010-10-14 00:12:49 572752 ----a-w- c:\windows\system32\wmvdmoe.dll

2010-10-14 00:12:49 438608 ----a-w- c:\windows\system32\wmv8dmod.dll

2010-10-14 00:12:48 285184 ----a-w- c:\windows\system32\wmidx2.ocx

2010-10-14 00:12:48 1683792 ----a-w- c:\windows\system32\wmvcore2.dll

2010-10-13 23:33:34 -------- d-----w- c:\docume~1\jim\applic~1\Tific

2010-10-13 23:33:33 -------- d-----w- c:\docume~1\jim\locals~1\applic~1\Symantec

2010-10-13 21:26:38 1687625 ----a-w- c:\windows\system32\InetClnt.dll

2010-10-13 21:26:17 225280 ----a-w- c:\windows\system32\AWRTL30.DLL

2010-10-13 21:26:17 111616 ----a-w- c:\windows\system32\LTIH30TB.DLL

2010-10-13 21:21:24 -------- d-----w- c:\windows\Intuit

2010-10-13 21:21:20 212992 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll

2010-10-13 20:38:51 -------- d-----w- c:\docume~1\jim\applic~1\Easy Duplicate Finder

2010-10-13 20:38:50 -------- d-----w- c:\program files\Easy Duplicate Finder

2010-10-13 20:28:39 -------- d-----w- c:\docume~1\jim\applic~1\KompoZer

2010-10-13 20:27:29 -------- d-sh--w- c:\documents and settings\jim\IECompatCache

2010-10-13 20:25:59 -------- d-sh--w- c:\documents and settings\jim\PrivacIE

2010-10-13 20:25:50 -------- d-----w- c:\docume~1\jim\locals~1\applic~1\Google

2010-10-13 18:56:46 -------- d-----w- c:\program files\yEnc32

2010-10-13 18:51:59 -------- d-----w- c:\docume~1\jim\locals~1\applic~1\Mozilla

2010-10-13 18:24:26 -------- d-----w- c:\docume~1\jim\applic~1\Anthropics

2010-10-13 18:20:16 -------- d-----w- c:\docume~1\jim\locals~1\applic~1\WinZip

2010-10-13 17:49:22 -------- d-----w- c:\docume~1\jim\applic~1\uTorrent

2010-10-13 15:15:14 42368 -c--a-w- c:\windows\system32\dllcache\agp440.sys

2010-10-13 15:15:14 42368 ----a-w- c:\windows\system32\drivers\AGP440.SYS

2010-10-13 15:14:33 5504 -c--a-w- c:\windows\system32\dllcache\intelide.sys

2010-10-13 15:14:33 5504 ----a-w- c:\windows\system32\drivers\intelide.sys

2010-10-13 15:14:21 1897408 -c--a-w- c:\windows\system32\dllcache\nv4_mini.sys

2010-10-13 15:14:21 1897408 ----a-w- c:\windows\system32\drivers\nv4_mini.sys

2010-10-13 15:14:20 4274816 -c--a-w- c:\windows\system32\dllcache\nv4_disp.dll

2010-10-13 15:14:20 4274816 ----a-w- c:\windows\system32\nv4_disp.dll

2010-10-13 15:14:16 6400 -c--a-w- c:\windows\system32\dllcache\enum1394.sys

2010-10-13 15:14:16 6400 ----a-w- c:\windows\system32\drivers\enum1394.sys

2010-10-13 15:14:16 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys

2010-10-13 15:14:16 61696 ----a-w- c:\windows\system32\drivers\ohci1394.sys

2010-10-13 15:14:15 53376 -c--a-w- c:\windows\system32\dllcache\1394bus.sys

2010-10-13 15:14:15 53376 ----a-w- c:\windows\system32\drivers\1394bus.sys

2010-10-13 15:13:28 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys

2010-10-13 15:13:28 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys

2010-10-13 15:06:13 -------- d-----w- c:\docume~1\jim\locals~1\applic~1\Adobe

2010-10-13 15:05:17 -------- d-----w- c:\docume~1\jim\locals~1\applic~1\yDecode

2010-10-13 15:00:25 -------- d-----w- c:\docume~1\jim\applic~1\LimeWire

2010-10-13 14:58:44 -------- d-----w- c:\docume~1\jim\locals~1\applic~1\Identities

2010-10-13 14:35:44 -------- d-----w- c:\docume~1\jim\applic~1\AOL

2010-10-13 14:12:09 -------- d-----w- c:\docume~1\jim\locals~1\applic~1\PowerDVD DX

2010-10-13 09:37:11 2560 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\usmt\iconlib.dll

2010-10-13 07:44:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\regid.1986-12.com.adobe

2010-10-13 03:40:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller

2010-10-13 00:22:26 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-10-13 00:22:26 215920 ----a-w- c:\windows\system32\muweb.dll

2010-10-13 00:22:26 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

2010-10-13 00:15:11 33104 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll

2010-10-13 00:15:11 32656 ----a-w- c:\windows\system32\msonpmon.dll

2010-10-13 00:12:28 -------- d-----w- c:\windows\SHELLNEW

2010-10-12 21:14:12 737280 ----a-w- c:\windows\iun6002.exe

2010-10-12 21:13:18 -------- d-----w- c:\program files\WYSIWYG Web Builder 7

==================== Find3M ====================

2010-10-13 03:41:56 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-10-04 22:09:56 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-09-18 18:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 11:47:03.89 ===============

Attach.zip

Gammo · November 10, 2010

Hi,

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
Click me
If you can't disable them then just continue on.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

jimkopke · November 13, 2010

ComboFix 10-11-12.06 - Jim 11/13/2010 10:07:34.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3061.2557 [GMT -7:00]

Running from: c:\documents and settings\Jim\Desktop\ComboFix.exe

AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Jim\Application Data\inst.exe

C:\ErrLog.txt

c:\program files\Search Toolbar

c:\program files\WinPCap

c:\program files\WinPCap\LICENSE

c:\windows\system32\15325643741.dll

.

((((((((((((((((((((((((( Files Created from 2010-10-13 to 2010-11-13 )))))))))))))))))))))))))))))))

.

2010-11-11 10:01 . 2010-11-11 10:01 -------- d-sh--w- c:\documents and settings\Default User\IETldCache

2010-11-08 21:39 . 2010-11-08 21:39 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-11-08 00:19 . 2010-07-22 01:27 43952 ----a-r- c:\windows\system32\drivers\SymIM.sys

2010-11-07 22:56 . 2010-11-08 16:14 -------- d-----w- c:\program files\active ports

2010-11-07 22:51 . 1999-12-17 17:13 49664 ----a-w- c:\windows\unvise32.exe

2010-11-07 20:07 . 2010-11-07 20:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-11-06 15:04 . 2010-11-06 15:04 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-11-06 14:32 . 2010-11-06 14:32 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-11-05 19:30 . 2010-11-05 19:31 -------- d-----w- c:\documents and settings\Jim\Application Data\CopyToDvd

2010-11-05 19:27 . 2010-11-05 19:28 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\ApplicationHistory

2010-11-05 19:27 . 2010-11-05 19:27 -------- d-----w- c:\program files\Lantronix

2010-11-05 19:26 . 2010-11-05 19:26 -------- d-----w- c:\windows\system32\URTTEMP

2010-11-05 19:18 . 2010-11-05 19:24 -------- d-----w- C:\e74ce0d18378dfb83afaf1e93c276606

2010-11-03 16:56 . 2010-09-23 07:46 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-11-03 14:14 . 2010-11-03 14:14 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\Sunbelt Software

2010-11-03 14:14 . 2010-11-08 00:27 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{E961CE1B-C3EA-4882-9F67-F859B555D097}

2010-11-03 14:14 . 2010-11-03 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-11-03 14:14 . 2010-11-03 14:14 -------- d-----w- c:\program files\Lavasoft

2010-11-01 14:27 . 2010-11-01 14:27 -------- d-----w- c:\documents and settings\Jim\Application Data\Malwarebytes

2010-11-01 14:27 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-01 14:27 . 2010-11-01 14:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-01 14:27 . 2010-11-01 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-11-01 14:27 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-01 08:43 . 2010-11-01 08:43 -------- d-----w- C:\rsit

2010-11-01 08:43 . 2010-11-01 08:43 -------- d-----w- c:\program files\trend micro

2010-10-31 09:54 . 2008-04-14 07:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2010-10-31 09:39 . 2010-10-31 09:39 -------- d-----w- c:\windows\system32\drivers\UMDF

2010-10-31 00:28 . 2010-10-31 00:43 -------- d-----w- c:\program files\Common Files\Data

2010-10-31 00:26 . 2010-10-31 00:26 197632 ----a-w- c:\program files\Common Files\OnlineFilesManager.dll

2010-10-27 21:41 . 2003-07-16 09:27 43264 ----a-r- c:\windows\system32\drivers\ser2pl.sys

2010-10-27 15:49 . 2010-10-27 15:49 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\Microsoft Help

2010-10-27 15:43 . 2010-10-27 15:43 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\PCHealth

2010-10-26 22:01 . 2010-11-11 10:01 -------- d-----w- c:\windows\system32\NtmsData

2010-10-24 10:59 . 2010-10-24 10:59 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk

2010-10-19 14:56 . 2010-10-19 14:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2010-10-19 14:56 . 2010-10-19 14:56 -------- d-----w- c:\documents and settings\Jim\Application Data\Office Genuine Advantage

2010-10-19 09:05 . 2010-10-19 09:05 -------- d-----w- c:\windows\system32\XPSViewer

2010-10-19 09:04 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll

2010-10-19 09:04 . 2010-10-19 09:04 -------- d-----w- C:\9000a4901a3e329d7f

2010-10-19 09:04 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2010-10-19 09:04 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2010-10-19 09:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2010-10-19 09:04 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2010-10-19 09:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2010-10-19 09:04 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2010-10-19 09:04 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2010-10-19 09:04 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2010-10-19 06:38 . 2010-10-24 06:14 -------- d-----w- c:\documents and settings\Jim\Application Data\vlc

2010-10-18 20:24 . 2010-10-18 20:24 -------- d-----w- c:\documents and settings\Jim\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1

2010-10-18 20:24 . 2010-10-18 20:24 -------- d-----w- c:\documents and settings\Jim\Application Data\Adobe Mini Bridge CS5

2010-10-18 17:12 . 2010-10-18 17:12 -------- d-----w- c:\documents and settings\Jim\Application Data\PDF Software

2010-10-17 17:43 . 2010-10-17 17:43 -------- d-----w- C:\BJPrinter

2010-10-17 07:39 . 2010-10-23 08:44 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\Temp

2010-10-17 06:19 . 2010-11-06 15:04 -------- d-----w- c:\documents and settings\Jim\Application Data\FileZilla

2010-10-16 06:50 . 2010-10-17 06:51 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\Conduit

2010-10-16 06:47 . 2010-10-17 06:51 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\IsoBuster

2010-10-16 06:47 . 2010-11-03 16:56 -------- d-----w- c:\program files\IsoBuster

2010-10-16 06:47 . 2010-10-16 06:47 -------- d-----w- c:\program files\Smart Projects

2010-10-16 06:38 . 2010-10-30 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\1Click DVD Copy

2010-10-16 01:01 . 2008-04-14 06:10 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys

2010-10-16 01:01 . 2008-04-14 06:10 43904 ----a-w- c:\windows\system32\drivers\sbp2port.sys

2010-10-16 00:44 . 2010-10-16 00:44 -------- d-----w- c:\windows\drivers

2010-10-16 00:44 . 2004-10-15 15:58 10112 ----a-w- c:\windows\system32\drivers\o1394b.sys

2010-10-15 10:31 . 2010-10-15 10:31 18816 ----a-w- c:\windows\system32\drivers\dvd43llh.sys

2010-10-15 05:44 . 2008-04-14 06:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys

2010-10-15 05:44 . 2008-04-14 06:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

2010-10-15 05:42 . 2004-02-03 20:00 7680 ----a-w- c:\windows\system32\CNMVS5p.DLL

2010-10-15 05:42 . 2004-02-03 20:00 50176 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPP5p.DLL

2010-10-15 05:42 . 2004-02-03 20:00 17920 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPD5p.DLL

2010-10-15 05:42 . 2004-02-03 20:00 113152 ----a-w- c:\windows\system32\CNMLM5p.DLL

2010-10-15 05:42 . 2003-08-27 18:11 86016 ----a-w- c:\windows\system32\CNMCP5p.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-08 21:39 . 2010-10-04 08:43 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-10-14 06:25 . 2010-10-14 06:24 6912 ----a-w- c:\windows\system32\drivers\NTIDrvr.sys

2010-10-14 06:14 . 2010-10-14 06:14 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys

2010-10-14 06:14 . 2010-10-14 06:14 47360 ----a-w- c:\documents and settings\Jim\Application Data\pcouffin.sys

2010-10-13 03:41 . 2010-10-13 03:41 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-10-13 03:41 . 2010-10-13 03:41 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-10-12 23:58 . 2010-10-12 21:14 737280 ----a-w- c:\windows\iun6002.exe

2010-09-18 18:23 . 2008-04-14 07:00 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2008-04-14 07:00 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2008-04-14 07:00 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2008-04-14 07:00 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2008-04-14 07:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2008-04-14 07:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2008-04-14 07:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51 . 2008-04-14 07:00 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2008-04-14 07:00 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2008-04-14 07:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57 . 2008-04-14 07:00 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 13:39 . 2008-04-14 07:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-26 12:52 . 2010-10-04 06:28 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12 . 2008-04-14 07:00 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17 . 2008-04-14 07:00 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:45 . 2008-04-14 07:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1AD61D5B-58A3-4592-9B34-DC84688FF805}]

2010-09-29 00:13 107328 ----a-w- c:\program files\PDF Suite 2010\PDFIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{266fcdca-7bb3-4da7-b3bf-f845dea2ebd6}]

2010-10-16 06:50 2735200 ----a-w- c:\program files\IsoBuster\tbIso1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{266fcdca-7bb3-4da7-b3bf-f845dea2ebd6}"= "c:\program files\IsoBuster\tbIso1.dll" [2010-10-16 2735200]

[HKEY_CLASSES_ROOT\clsid\{266fcdca-7bb3-4da7-b3bf-f845dea2ebd6}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{266FCDCA-7BB3-4DA7-B3BF-F845DEA2EBD6}"= "c:\program files\IsoBuster\tbIso1.dll" [2010-10-16 2735200]

[HKEY_CLASSES_ROOT\clsid\{266fcdca-7bb3-4da7-b3bf-f845dea2ebd6}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]

@="{95A27763-F62A-4114-9072-E81D87DE3B68}"

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]

2010-09-21 01:25 731280 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]

@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]

2010-09-21 01:25 731280 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]

@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]

2010-09-21 01:25 731280 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Online Files]

@="{B82655E9-B81D-4A97-8154-0D84A4C048E4}"

[HKEY_CLASSES_ROOT\CLSID\{B82655E9-B81D-4A97-8154-0D84A4C048E4}]

2010-10-31 00:26 197632 ----a-w- c:\program files\Common Files\OnlineFilesManager.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AOL Fast Start"="c:\program files\AOL 9.0b\AOL.EXE" [2007-02-06 50736]

"yDecode"="c:\program files\yDecode\yDecode.exe" [2006-09-08 704008]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-10 39408]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-18 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-18 170520]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-18 141848]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-04-02 128232]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]

"HostManager"="c:\program files\Common Files\AOL\1286184261\ee\AOLSoftware.exe" [2006-09-26 50736]

"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2010-09-21 913552]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]

"yDecode"="c:\program files\yDecode\yDecode.exe" [2006-09-08 704008]

"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-24 827904]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\Jim\Start Menu\Programs\Startup\

LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-9-30 503808]

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-10-13 663552]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\AOL 9.0b\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\yDecode\\yDecode.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 O1394B;OW 1394b Bus Filter Service;c:\windows\system32\drivers\o1394b.sys [10/15/2010 5:44 PM 10112]

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [10/3/2010 11:23 PM 24064]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1201000.025\SymDS.sys [10/12/2010 8:41 PM 339504]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1201000.025\SymEFA.sys [10/12/2010 8:41 PM 666672]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20101104.001\BHDrvx86.sys [11/3/2010 5:07 PM 691248]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1201000.025\Ironx86.sys [10/12/2010 8:41 PM 134704]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/23/2010 12:46 AM 1375992]

R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Norton Internet Security\Engine\18.1.0.37\ccSvcHst.exe [10/12/2010 8:41 PM 126904]

R2 PDF Suite 2010 Service;PDF Suite 2010 Service;c:\program files\PDF Suite 2010\ConversionService.exe [9/28/2010 5:13 PM 791360]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/12/2010 8:41 PM 102448]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20101112.001\IDSXpx86.sys [10/19/2010 1:36 PM 341880]

R3 k57w2k;Broadcom NetLink Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [10/3/2010 11:06 PM 176640]

S0 cerc6;cerc6; [x]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/9/2010 9:54 PM 136176]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [9/23/2010 12:46 AM 15264]

S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]

.

Contents of the 'Scheduled Tasks' folder

2010-11-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 14:32]

2010-11-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cb6dce7ba088c0.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 04:54]

2010-11-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cb6dce7bc6ae60.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 04:54]

2010-11-13 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"

TCP: {600AAE40-FB2E-49AB-B088-41C29A750534} = 72.19.128.53,72.19.128.99

DPF: {CF4A2C45-CB89-4018-94BB-C2CACB83A537} - hxxps://www.myremotemanager.com/myrm/device/xancamx.ocx

FF - ProfilePath - c:\documents and settings\Jim\Application Data\Mozilla\Firefox\Profiles\po7mzqvu.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage -

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\coFFPlgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\IPSFFPlgn\components\IPSFFPl.dll

FF - component: c:\documents and settings\Jim\Application Data\Mozilla\Firefox\Profiles\po7mzqvu.default\extensions\{ad55c869-668e-457c-b270-0cfb2f61116f}\components\FFExternalAlert.dll

FF - component: c:\documents and settings\Jim\Application Data\Mozilla\Firefox\Profiles\po7mzqvu.default\extensions\{ad55c869-668e-457c-b270-0cfb2f61116f}\components\RadioWMPCore.dll

FF - component: c:\program files\PDF Suite 2010\firefoxextension\components\FFPDFConverter.dll

FF - plugin: c:\documents and settings\Jim\Application Data\Mozilla\Firefox\Profiles\po7mzqvu.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll

FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\PDF Suite 2010\firefoxextension\plugins\NPPdfExt.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

WebBrowser-{851552F5-B878-4B03-904F-2AD6A4CC8994} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-13 10:15

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]

"ImagePath"="\"c:\program files\Norton Internet Security\Norton Internet Security\Engine\18.1.0.37\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Norton Internet Security\Engine\18.1.0.37\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2010-11-13 10:16:35

ComboFix-quarantined-files.txt 2010-11-13 17:16

ComboFix2.txt 2008-02-09 04:56

Pre-Run: 792,742,346,752 bytes free

Post-Run: 793,670,361,088 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 6239EF7AD743C5932D4060F2C78EC7F7

Gammo · November 13, 2010

Hi,

Open notepad by going to Start > Run and type notepad.exe in the box that appears. In the window that pops up please copy and paste the following:

@echo off
>Router_Log_Gammo.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Router_Log_Gammo.txt
del %0

In Notepad click on the "File" menu > Save As...

Under "File name" type Router_Gammo.bat

Change "Save as type" to All Files

Save it to your Desktop

Double click on Router_Gammo.bat. It will open a notepad windows. Please post the contents of this file in your next reply.

jimkopke · November 13, 2010

Windows IP Configuration

Host Name . . . . . . . . . . . . : desk

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom NetLink Gigabit Ethernet

Physical Address. . . . . . . . . : 00-25-64-B4-E4-28

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 72.19.172.49

Subnet Mask . . . . . . . . . . . : 255.255.255.128

Default Gateway . . . . . . . . . : 72.19.172.1

DNS Servers . . . . . . . . . . . : 72.19.128.53

72.19.128.99

Server: ns7.skybeam.com

Address: 72.19.128.53

Name: google.com

Addresses: 209.85.225.103, 209.85.225.104, 209.85.225.105, 209.85.225.106

209.85.225.147, 209.85.225.99

Server: ns7.skybeam.com

Address: 72.19.128.53

Name: yahoo.com

Addresses: 67.195.160.76, 69.147.125.65, 72.30.2.43, 98.137.149.56

209.191.122.70

Pinging google.com [74.125.95.106] with 32 bytes of data:

Reply from 74.125.95.106: bytes=32 time=43ms TTL=52

Reply from 74.125.95.106: bytes=32 time=44ms TTL=52

Ping statistics for 74.125.95.106:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 43ms, Maximum = 44ms, Average = 43ms

Pinging yahoo.com [98.137.149.56] with 32 bytes of data:

Reply from 98.137.149.56: bytes=32 time=58ms TTL=50

Ping statistics for 98.137.149.56:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 58ms, Maximum = 58ms, Average = 58ms

===========================================================================

Interface List

0x1 ........................... MS TCP Loopback interface

0x2 ...00 25 64 b4 e4 28 ...... Broadcom NetLink Gigabit Ethernet - Packet Scheduler Miniport

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 72.19.172.1 72.19.172.49 20

72.19.172.0 255.255.255.128 72.19.172.49 72.19.172.49 20

72.19.172.49 255.255.255.255 127.0.0.1 127.0.0.1 20

72.255.255.255 255.255.255.255 72.19.172.49 72.19.172.49 20

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

224.0.0.0 240.0.0.0 72.19.172.49 72.19.172.49 20

255.255.255.255 255.255.255.255 72.19.172.49 72.19.172.49 1

Default Gateway: 72.19.172.1

===========================================================================

Persistent Routes:

None

Hi,
Open notepad by going to Start > Run and type notepad.exe in the box that appears. In the window that pops up please copy and paste the following:
In Notepad click on the "File" menu > Save As...
Under "File name" type Router_Gammo.bat
Change "Save as type" to All Files
Save it to your Desktop
Double click on Router_Gammo.bat. It will open a notepad windows. Please post the contents of this file in your next reply.

jimkopke · November 13, 2010

After reviewing my actions in the last step requested, I realized that I did not follow your directions correctly. Here in the correct log as requested. There do seem to be some differences.

Windows IP Configuration

Host Name . . . . . . . . . . . . : desk

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom NetLink Gigabit Ethernet

Physical Address. . . . . . . . . : 00-25-64-B4-E4-28

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 72.19.172.49

Subnet Mask . . . . . . . . . . . : 255.255.255.128

Default Gateway . . . . . . . . . : 72.19.172.1

DNS Servers . . . . . . . . . . . : 72.19.128.53

72.19.128.99

Server: ns7.skybeam.com

Address: 72.19.128.53

Name: google.com

Addresses: 209.85.225.99, 209.85.225.103, 209.85.225.104, 209.85.225.105

209.85.225.106, 209.85.225.147

Server: ns7.skybeam.com

Address: 72.19.128.53

Name: yahoo.com

Addresses: 67.195.160.76, 69.147.125.65, 72.30.2.43, 98.137.149.56

209.191.122.70

Pinging google.com [74.125.95.147] with 32 bytes of data:

Reply from 74.125.95.147: bytes=32 time=43ms TTL=52

Reply from 74.125.95.147: bytes=32 time=44ms TTL=52

Ping statistics for 74.125.95.147:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 43ms, Maximum = 44ms, Average = 43ms

Pinging yahoo.com [98.137.149.56] with 32 bytes of data:

Reply from 98.137.149.56: bytes=32 time=59ms TTL=50

Reply from 98.137.149.56: bytes=32 time=58ms TTL=50

Ping statistics for 98.137.149.56:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 58ms, Maximum = 59ms, Average = 58ms

===========================================================================

Interface List

0x1 ........................... MS TCP Loopback interface

0x2 ...00 25 64 b4 e4 28 ...... Broadcom NetLink Gigabit Ethernet - Packet Scheduler Miniport

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 72.19.172.1 72.19.172.49 20

72.19.172.0 255.255.255.128 72.19.172.49 72.19.172.49 20

72.19.172.49 255.255.255.255 127.0.0.1 127.0.0.1 20

72.255.255.255 255.255.255.255 72.19.172.49 72.19.172.49 20

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

224.0.0.0 240.0.0.0 72.19.172.49 72.19.172.49 20

255.255.255.255 255.255.255.255 72.19.172.49 72.19.172.49 1

Default Gateway: 72.19.172.1

===========================================================================

Persistent Routes:

None

Gammo · November 13, 2010

Hi,

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Start Malwarebytes' Anti-Malware

Once the program has loaded, click the "Update" tab and click the "Check For updates" button.
Once the updates were downloaded, click the "Scanner" tab, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'd like us to scan your machine with ESET OnlineScan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
2. Click on to download the ESET Smart Installer. Save it to your desktop.
3. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Check
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the button.
13. Push
  
  Please also tell me if the problem is resolved after following the steps above.

jimkopke · November 15, 2010

It is Sunday night about 12:30 am and I haven't experienced an attach since I ran ComboFix which removed the following files unidentified by the other programs. To recap, it removed the following:

c:\documents and settings\Jim\Application Data\inst.exe

C:\ErrLog.txt

c:\program files\Search Toolbar

c:\program files\WinPCap

c:\program files\WinPCap\LICENSE

c:\windows\system32\15325643741.dll

If you would like me to run your latest requests, I will....and/or I will also report if I experience any more attacks, but as of right now, I have about about 36 hours of the system on line without incident. Previously, this meant about 75 or more web sites stacked up which I would have to delete. If you are familiar with this exploit, could you explain how it works? Thanks so very much for your help.

Jim

Hi,
Download TFC to your desktop
Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Start Malwarebytes' Anti-Malware
Once the program has loaded, click the "Update" tab and click the "Check For updates" button.
Once the updates were downloaded, click the "Scanner" tab, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I'd like us to scan your machine with ESET OnlineScan
Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

Check
Click the button.
Accept any security warnings from your browser.
Check
Push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

Please also tell me if the problem is resolved after following the steps above.

Gammo · November 15, 2010

Hi,

Please follow the instructions in my previous post. We aren't done yet.

If you are familiar with this exploit, could you explain how it works?

Unfortunately, I'm not familiar with it.

jimkopke · November 16, 2010

Good morning. After running MBAM and ESET, I am still getting the phantom web hits. Interesting, there were no hits over the weekend at all. Then this morning, when I opened MSIE, it all started again. They come in bursts 20 or 30 per burst every 30 minutes or so. If I close MSIE, they stop, but seem to stack up somewhere, so when I open it again, the backlog of hits immediately dump. I'm also getting HAMMERED by intrusion attempts this morning that Norton is blocking.

Here's the logs as requested.

Eset:

C:\Documents and Settings\Jim\Desktop\Sound and Videos\Top of Charts - 2003 (animusic).wma WMA/TrojanDownloader.Wimad.K trojan cleaned by deleting - quarantined

MBAM:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5127

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/16/2010 8:21:56 AM

mbam-log-2010-11-16 (08-21-56).txt

Scan type: Quick scan

Objects scanned: 153086

Time elapsed: 4 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Gammo · November 16, 2010

Hi,

Please delete your copy of ComboFix.exe from the desktop.

Then download the latest version of ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
Click me
If you can't disable them then just continue on.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

jimkopke · November 16, 2010

ComboFix 10-11-15.06 - Jim 11/16/2010 13:12:08.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3061.2577 [GMT -7:00]

Running from: c:\documents and settings\Jim\Desktop\ComboFix.exe

AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\16512379641.dll

.

((((((((((((((((((((((((( Files Created from 2010-10-16 to 2010-11-16 )))))))))))))))))))))))))))))))

.

2010-11-16 15:27 . 2010-11-16 15:27 -------- d-----w- c:\program files\ESET