Rootkit - Reserved.Word.Exploit - Suspicious.Mystic

[Seth]

Hello, My this computer is infected and the explorer fails to start at boot, I was able to use the task manager and launch it from a usb thumb drive however just copying explorer.exe back does not work. Norton pops up constantly saying i have Suspicious.Mystic? It also appears as system restore is disabled and i do not have the dell restore dvd just the restore partition. I was hoping sfc /scannow would replace the explorer but it asks for xp sp3 install cd.

Gmer did not finish before i had to leave there is a large folder for Mitchell Car Repair with over 19 million files.

Ill post it after the holidays.

Any help would be great,

Merry Christmas.

------ DDS.TXT ------

DDS (Ver_10-12-12.02) - NTFSx86

Run by username at 19:00:35.65 on Thu 12/23/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.350 [GMT -6:00]

AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Security Suite *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

F:\explorer.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe

C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

C:\WINDOWS\system32\dlbxcoms.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\username\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com

uStart Page = hxxp://www.yahoo.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll

BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\3.8.0.41\IPSBHO.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [dlbxmon.exe] "c:\program files\dell photo aio printer 962\dlbxmon.exe"

mRun: [iAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll

IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll

IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL

DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://univ6.centra.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205102384875

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} - hxxps://accounting.quickbooks.com/c1/v12.311/qboax8.cab

DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton security suite\engine\3.8.0.41\CoIEPlg.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jimpre~1\applic~1\mozilla\firefox\profiles\69cz299k.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - prefs.js: network.proxy.type - 0

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npagent.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\onlive\firefoxplugin\npolgdet.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Element Hiding Helper for Adblock Plus: elemhidehelper@adblockplus.org - %profile%\extensions\elemhidehelper@adblockplus.org

FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Norton Toolbar: {7BA52691-1876-45ce-9EE6-54BCB3B04BBC} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coFFPlgn

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-3-2 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-3-2 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-3-2 482432]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20101223.002\IDSXpx86.sys [2010-12-23 341944]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-12-22 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 67656]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2008-11-23 363344]

R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\3.8.0.41\ccSvcHst.exe [2010-3-2 117640]

R2 supersafer;supersafer;c:\windows\system32\drivers\supersafer.sys [2010-12-23 354176]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-12-22 102448]

R3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2009-5-28 391296]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-11-23 20952]

R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20101223.002\NAVENG.SYS [2010-12-23 86008]

R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20101223.002\NAVEX15.SYS [2010-12-23 1360760]

S0 FsUdf;FsUdf; [x]

S0 fvdscsi;fvdscsi;c:\windows\system32\drivers\fvdscsi.sys --> c:\windows\system32\drivers\fvdscsi.sys [?]

S2 gupdate1c967a67cf58bce;gupdate1c967a67cf58bce;c:\program files\google\update\GoogleUpdate.exe [2009-2-10 133104]

S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

S3 Angel;Angel MPEG Device;c:\windows\system32\drivers\Angel.sys [1979-12-31 376320]

S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\wintv\tvserver\HAUPPA~1.EXE [2010-3-27 602624]

S3 rkhdrv40;Rootkit Unhooker Driver; [x]

S3 RosettaStoneLtdController;RosettaStoneLtdController;c:\program files\rosettastoneltdservices\RosettaStoneLtdController.exe [2007-9-13 354672]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 12872]

=============== Created Last 30 ================

2010-12-23 23:08:04 28700 ----a-w- c:\windows\system32\dllcache\ibmexmp.sys

2010-12-23 23:08:02 161020 ----a-w- c:\windows\system32\dllcache\i81xnt5.sys

2010-12-23 23:08:01 702845 ----a-w- c:\windows\system32\dllcache\i81xdnt5.dll

2010-12-23 23:06:58 31232 ----a-w- c:\windows\system32\dllcache\hpgt42tk.dll

2010-12-23 23:05:58 470144 ----a-w- c:\windows\system32\dllcache\g200d.dll

2010-12-23 23:04:49 24618 ----a-w- c:\windows\system32\dllcache\fa410nd5.sys

2010-12-23 23:03:59 144896 ----a-w- c:\windows\system32\dllcache\epcfw2k.sys

2010-12-23 23:02:59 26698 ----a-w- c:\windows\system32\dllcache\dlh5xnd5.sys

2010-12-23 23:01:59 28672 ----a-w- c:\windows\system32\dllcache\cyycoins.dll

2010-12-23 23:00:59 32256 ----a-w- c:\windows\system32\dllcache\diapi2NT.dll

2010-12-23 22:59:59 87552 ----a-w- c:\windows\system32\dllcache\avmcoxp.dll

2010-12-23 22:58:59 98304 ----a-w- c:\windows\system32\dllcache\a3d.dll

2010-12-23 22:58:59 462848 ----a-w- c:\windows\system32\dllcache\a3dapi.dll

2010-12-23 22:58:58 48128 ----a-w- c:\windows\system32\dllcache\61883.sys

2010-12-23 22:58:58 38400 ----a-w- c:\windows\system32\dllcache\8514a.dll

2010-12-23 22:58:57 689216 ----a-w- c:\windows\system32\dllcache\3dfxvs.dll

2010-12-23 22:58:57 148352 ----a-w- c:\windows\system32\dllcache\3dfxvsm.sys

2010-12-23 22:58:57 12288 ----a-w- c:\windows\system32\dllcache\4mmdat.sys

2010-12-23 22:58:56 762780 ----a-w- c:\windows\system32\dllcache\3cwmcru.sys

2010-12-23 22:58:56 11264 ----a-w- c:\windows\system32\dllcache\1394vdbg.sys

2010-12-23 22:58:55 53376 ----a-w- c:\windows\system32\dllcache\1394bus.sys

2010-12-23 22:55:26 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll

2010-12-23 22:55:16 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll

2010-12-23 22:55:02 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe

2010-12-23 22:55:02 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll

2010-12-23 22:55:01 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll

2010-12-23 22:55:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll

2010-12-23 22:55:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe

2010-12-23 22:54:59 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll

2010-12-23 20:59:08 -------- d-----w- c:\docume~1\jimpre~1\locals~1\applic~1\Symantec

2010-12-23 20:48:09 -------- d-----w- c:\docume~1\jimpre~1\applic~1\spotmau

2010-12-23 20:47:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spotmau

2010-12-23 20:47:26 354176 ----a-w- c:\windows\system32\drivers\supersafer.sys

2010-12-23 20:47:25 681472 ----a-w- c:\windows\system32\wxmsw28u_adv_vc_custom.dll

2010-12-23 20:47:25 61440 ----a-w- c:\windows\system32\verify.dll

2010-12-23 20:47:25 492032 ----a-w- c:\windows\system32\wxmsw28u_xrc_vc_custom.dll

2010-12-23 20:47:25 470528 ----a-w- c:\windows\system32\wxmsw28u_html_vc_custom.dll

2010-12-23 20:47:25 2771968 ----a-w- c:\windows\system32\wxmsw28u_core_vc_custom.dll

2010-12-23 20:47:25 14336 ----a-w- c:\windows\system32\config.dll

2010-12-23 20:47:25 119808 ----a-w- c:\windows\system32\wxbase28u_net_vc_custom.dll

2010-12-23 20:47:25 118784 ----a-w- c:\windows\system32\wxbase28u_xml_vc_custom.dll

2010-12-23 20:47:25 1163776 ----a-w- c:\windows\system32\wxbase28u_vc_custom.dll

2010-12-23 20:47:04 -------- d-----w- c:\program files\Spotmau

2010-12-14 23:36:39 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys

2010-12-14 23:36:20 45568 ------w- c:\windows\system32\dllcache\wab.exe

2010-12-09 06:51:09 -------- d-----w- c:\program files\jv16 PowerTools 2010

2010-12-09 06:26:43 -------- d-----w- c:\docume~1\jimpre~1\locals~1\applic~1\OnLive App

2010-12-09 06:26:05 -------- d-----w- c:\program files\OnLive

2010-12-09 06:01:43 -------- d-----w- c:\docume~1\jimpre~1\locals~1\applic~1\ATI

2010-12-09 06:01:00 0 ----a-w- c:\windows\ativpsrm.bin

2010-12-09 05:58:13 593920 ------w- c:\windows\system32\ati2sgag.exe

2010-12-09 05:56:33 -------- d-----w- C:\ATI

2010-12-09 05:26:04 -------- d-----w- c:\docume~1\jimpre~1\applic~1\DeviceDoctorSoftware

2010-12-09 05:17:56 -------- d-----w- c:\docume~1\jimpre~1\locals~1\applic~1\Deployment

2010-12-09 03:48:38 -------- d-----w- c:\documents and settings\username\Backups

2010-12-09 03:44:44 -------- d-----w- c:\program files\ATI

2010-12-09 03:38:58 -------- d-----w- c:\program files\ATI Technologies

2010-12-09 02:39:24 -------- d-----w- c:\program files\Phyxion.net

2010-12-05 00:20:06 -------- d-----w- c:\docume~1\jimpre~1\applic~1\FrostWire

2010-12-05 00:18:59 -------- d-----w- c:\program files\FrostWire

2010-12-04 17:22:04 -------- d-----w- c:\docume~1\jimpre~1\applic~1\OnLive App

==================== Find3M ====================

2010-11-22 05:03:01 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-11-22 05:03:00 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec

2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 19:02:22.73 ===============

Desktop.zip

[kahdah]

Hello Seth

Welcome to Malwarebytes.

=====================

The items detected by mbam were they quarantined and removed?

You can run the following from a flash drive.

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[Seth]

Alright here is the Combofix log, it would not run until i renamed it to Combo-Fix.exe

I have also attached the GMER log missing from my previous attachment.

---

ComboFix 10-12-25.01 - Jim Prescott 12/25/2010 18:11:39.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.412 [GMT -6:00]

Running from: c:\documents and settings\Jim Prescott\Desktop\Combo-Fix.exe

AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

((((((((((((((((((((((((( Files Created from 2010-11-26 to 2010-12-26 )))))))))))))))))))))))))))))))

.

2010-12-25 23:56 . 2008-04-14 00:12 1033728 ----a-w- c:\windows\system32\dllcache\explorer.exe

2010-12-25 23:56 . 2008-04-14 00:12 1033728 ----a-w- c:\windows\explorer.exe

2010-12-23 23:08 . 2001-08-17 18:11 28700 ----a-w- c:\windows\system32\dllcache\ibmexmp.sys

2010-12-23 23:08 . 2004-08-04 04:29 161020 ----a-w- c:\windows\system32\dllcache\i81xnt5.sys

2010-12-23 23:08 . 2008-04-14 01:11 702845 ----a-w- c:\windows\system32\dllcache\i81xdnt5.dll

2010-12-23 23:06 . 2001-08-18 04:36 31232 ----a-w- c:\windows\system32\dllcache\hpgt42tk.dll

2010-12-23 23:05 . 2001-08-17 20:56 470144 ----a-w- c:\windows\system32\dllcache\g200d.dll

2010-12-23 23:04 . 2001-08-17 18:12 24618 ----a-w- c:\windows\system32\dllcache\fa410nd5.sys

2010-12-23 23:03 . 2001-08-17 19:50 144896 ----a-w- c:\windows\system32\dllcache\epcfw2k.sys

2010-12-23 23:02 . 2001-08-17 18:11 26698 ----a-w- c:\windows\system32\dllcache\dlh5xnd5.sys

2010-12-23 23:01 . 2001-08-18 04:36 28672 ----a-w- c:\windows\system32\dllcache\cyycoins.dll

2010-12-23 23:00 . 2001-08-18 04:36 32256 ----a-w- c:\windows\system32\dllcache\diapi2NT.dll

2010-12-23 22:59 . 2001-08-18 04:36 87552 ----a-w- c:\windows\system32\dllcache\avmcoxp.dll

2010-12-23 22:58 . 2001-08-18 04:36 98304 ----a-w- c:\windows\system32\dllcache\a3d.dll

2010-12-23 22:58 . 2001-08-18 04:36 462848 ----a-w- c:\windows\system32\dllcache\a3dapi.dll

2010-12-23 22:58 . 2008-04-13 19:46 48128 ----a-w- c:\windows\system32\dllcache\61883.sys

2010-12-23 22:58 . 2001-08-17 20:55 38400 ----a-w- c:\windows\system32\dllcache\8514a.dll

2010-12-23 22:58 . 2008-04-13 19:40 12288 ----a-w- c:\windows\system32\dllcache\4mmdat.sys

2010-12-23 22:58 . 2001-08-17 20:55 689216 ----a-w- c:\windows\system32\dllcache\3dfxvs.dll

2010-12-23 22:58 . 2001-08-17 18:48 148352 ----a-w- c:\windows\system32\dllcache\3dfxvsm.sys

2010-12-23 22:58 . 2001-08-17 20:06 11264 ----a-w- c:\windows\system32\dllcache\1394vdbg.sys

2010-12-23 22:58 . 2001-08-17 19:28 762780 ----a-w- c:\windows\system32\dllcache\3cwmcru.sys

2010-12-23 22:58 . 2008-04-13 19:46 53376 ----a-w- c:\windows\system32\dllcache\1394bus.sys

2010-12-23 22:55 . 2004-08-10 10:00 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll

2010-12-23 22:55 . 2001-08-17 20:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll

2010-12-23 22:55 . 2004-08-10 10:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe

2010-12-23 22:55 . 2004-08-10 10:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll

2010-12-23 22:55 . 2004-08-10 10:00 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll

2010-12-23 22:55 . 2004-08-10 10:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll

2010-12-23 22:55 . 2004-08-10 10:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe

2010-12-23 22:54 . 2004-08-10 10:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll

2010-12-23 20:59 . 2010-12-23 20:59 -------- d-----w- c:\documents and settings\Jim Prescott\Local Settings\Application Data\Symantec

2010-12-23 20:48 . 2010-12-23 20:48 -------- d-----w- c:\documents and settings\Jim Prescott\Application Data\spotmau

2010-12-23 20:47 . 2010-12-23 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spotmau

2010-12-23 20:47 . 2009-11-26 01:12 354176 ----a-w- c:\windows\system32\drivers\supersafer.sys

2010-12-23 20:47 . 2009-11-26 01:12 681472 ----a-w- c:\windows\system32\wxmsw28u_adv_vc_custom.dll

2010-12-23 20:47 . 2009-11-26 01:12 61440 ----a-w- c:\windows\system32\verify.dll

2010-12-23 20:47 . 2009-11-26 01:12 492032 ----a-w- c:\windows\system32\wxmsw28u_xrc_vc_custom.dll

2010-12-23 20:47 . 2009-11-26 01:12 470528 ----a-w- c:\windows\system32\wxmsw28u_html_vc_custom.dll

2010-12-23 20:47 . 2009-11-26 01:12 2771968 ----a-w- c:\windows\system32\wxmsw28u_core_vc_custom.dll

2010-12-23 20:47 . 2009-11-26 01:12 14336 ----a-w- c:\windows\system32\config.dll

2010-12-23 20:47 . 2009-11-26 01:12 119808 ----a-w- c:\windows\system32\wxbase28u_net_vc_custom.dll

2010-12-23 20:47 . 2009-11-26 01:12 118784 ----a-w- c:\windows\system32\wxbase28u_xml_vc_custom.dll

2010-12-23 20:47 . 2009-11-26 01:12 1163776 ----a-w- c:\windows\system32\wxbase28u_vc_custom.dll

2010-12-23 20:47 . 2010-12-23 20:47 -------- d-----w- c:\program files\Spotmau

2010-12-14 23:36 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys

2010-12-14 23:36 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe

2010-12-10 20:17 . 2010-12-10 20:17 -------- d-----w- c:\documents and settings\Jim Prescott\Application Data\pdf995

2010-12-09 13:52 . 2010-12-09 13:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Help

2010-12-09 07:43 . 2010-12-09 07:44 -------- d-----w- c:\program files\Recuva

2010-12-09 06:51 . 2010-12-09 06:53 -------- d-----w- c:\program files\jv16 PowerTools 2010

2010-12-09 06:26 . 2010-12-09 06:26 -------- d-----w- c:\documents and settings\Jim Prescott\Local Settings\Application Data\OnLive App

2010-12-09 06:26 . 2010-12-09 06:26 -------- d-----w- c:\program files\OnLive

2010-12-09 06:01 . 2010-12-09 06:01 -------- d-----w- c:\documents and settings\Jim Prescott\Local Settings\Application Data\ATI

2010-12-09 06:01 . 2010-12-09 06:01 -------- d-----w- c:\documents and settings\Jim Prescott\Application Data\ATI

2010-12-09 06:01 . 2010-12-09 06:01 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI

2010-12-09 06:01 . 2010-12-09 06:01 0 ----a-w- c:\windows\ativpsrm.bin

2010-12-09 05:58 . 2010-02-11 03:20 593920 ------w- c:\windows\system32\ati2sgag.exe

2010-12-09 05:56 . 2010-12-09 05:56 -------- d-----w- C:\ATI

2010-12-09 05:26 . 2010-12-09 05:26 -------- d-----w- c:\documents and settings\Jim Prescott\Application Data\DeviceDoctorSoftware

2010-12-09 05:17 . 2010-12-09 05:18 -------- d-----w- c:\documents and settings\Jim Prescott\Local Settings\Application Data\Deployment

2010-12-09 03:48 . 2010-12-09 03:48 -------- d-----w- c:\documents and settings\Jim Prescott\Backups

2010-12-09 03:44 . 2010-12-09 03:44 -------- d-----w- c:\program files\ATI

2010-12-09 03:38 . 2010-12-09 05:59 -------- d-----w- c:\program files\ATI Technologies

2010-12-09 02:39 . 2010-12-09 17:32 -------- d-----w- c:\program files\Phyxion.net

2010-12-05 00:20 . 2010-12-09 06:39 -------- d-----w- c:\documents and settings\Jim Prescott\Application Data\FrostWire

2010-12-05 00:18 . 2010-12-05 00:21 -------- d-----w- c:\program files\FrostWire

2010-12-04 17:22 . 2010-12-04 17:46 -------- d-----w- c:\documents and settings\Jim Prescott\Application Data\OnLive App

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-21 00:09 . 2008-11-23 22:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-21 00:08 . 2008-11-23 22:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-22 05:03 . 2010-11-22 05:03 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-11-22 05:03 . 2010-04-17 05:56 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-18 18:12 . 2004-08-10 10:00 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-06 00:26 . 2004-08-10 10:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26 . 2004-08-10 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2004-08-10 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25 . 2004-08-10 10:00 385024 ----a-w- c:\windows\system32\html.iec

2010-11-02 15:17 . 2004-08-10 10:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys

2010-10-28 13:13 . 2004-08-10 10:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25 . 2004-08-10 10:00 1853312 ----a-w- c:\windows\system32\win32k.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-21 443728]

"dlbxmon.exe"="c:\program files\Dell Photo AIO Printer 962\dlbxmon.exe" [2005-01-18 425984]

"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-10-03 17:56 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoStart IR.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoStart IR.lnk

backup=c:\windows\pss\AutoStart IR.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BDARemote.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BDARemote.lnk

backup=c:\windows\pss\BDARemote.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinTV Recording Status..lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk

backup=c:\windows\pss\WinTV Recording Status..lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-09-24 09:15 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]

2009-10-24 01:34 827904 ----a-w- c:\program files\dvd43\DVD43_Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]

2004-10-12 21:54 57344 ----a-w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

2005-08-05 18:56 64512 ----a-w- c:\windows\EHOME\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\aol\1215311243\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2007-03-12 02:34 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]

2003-09-04 01:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

2004-10-14 19:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpotmauSecretary]

2009-11-26 01:11 627200 ----a-w- c:\program files\Spotmau\secretary\Spotmau_S.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

2010-02-11 05:32 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

2004-01-07 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\RosettaStoneLtdServices\\RosettaStoneLtdController.exe"=

"c:\\Program Files\\RosettaStoneLtdServices\\RosettaStoneLtdServices.exe"=

"c:\\Program Files\\RosettaStoneLtdServices\\RosettaStoneLtdServer.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\aol\\1215311243\\ee\\aolsoftware.exe"=

"c:\\Program Files\\AOL 9.1\\waol.exe"=

"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\StarWarsGalaxies\\SwgClient_r.exe"=

"c:\\WINDOWS\\SYSTEM32\\mmc.exe"=

"c:\\Program Files\\WinTV\\WinTV7\\WinTV7.exe"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"55567:TCP"= 55567:TCP:RosettaStoneLtdServices Port 55567

"55570:TCP"= 55570:TCP:RosettaStoneLtdServices Port 55570

"55568:TCP"= 55568:TCP:RosettaStoneLtdServer Port 55568

"55569:TCP"= 55569:TCP:RosettaStoneLtdController Port 55569

"55566:TCP"= 55566:TCP:RosettaStoneLtdServices Port 55566

R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\N360\0308000.029\SymEFA.sys [3/2/2010 6:14 PM 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\SYSTEM32\DRIVERS\N360\0308000.029\BHDrvx86.sys [3/2/2010 6:14 PM 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\N360\0308000.029\cchpx86.sys [3/2/2010 6:14 PM 482432]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20101224.001\IDSXpx86.sys [12/24/2010 6:16 PM 341944]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/22/2008 11:06 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 11:05 AM 67656]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/23/2008 4:20 PM 363344]

R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe [3/2/2010 6:13 PM 117640]

R2 supersafer;supersafer;c:\windows\SYSTEM32\DRIVERS\supersafer.sys [12/23/2010 2:47 PM 354176]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/22/2010 6:34 PM 102448]

R3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\SYSTEM32\DRIVERS\hcw18bda.sys [5/28/2009 10:46 AM 391296]

R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [11/23/2008 4:20 PM 20952]

S0 FsUdf;FsUdf; [x]

S0 fvdscsi;fvdscsi;c:\windows\system32\DRIVERS\fvdscsi.sys --> c:\windows\system32\DRIVERS\fvdscsi.sys [?]

S2 gupdate1c967a67cf58bce;gupdate1c967a67cf58bce;c:\program files\Google\Update\GoogleUpdate.exe [2/10/2009 11:03 AM 133104]

S3 Angel;Angel MPEG Device;c:\windows\SYSTEM32\DRIVERS\Angel.sys [12/31/1979 11:00 PM 376320]

S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\TVServer\HAUPPA~1.EXE [3/27/2010 11:28 AM 602624]

S3 rkhdrv40;Rootkit Unhooker Driver; [x]

S3 RosettaStoneLtdController;RosettaStoneLtdController;c:\program files\RosettaStoneLtdServices\RosettaStoneLtdController.exe [9/13/2007 11:00 AM 354672]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 11:06 AM 12872]

--- Other Services/Drivers In Memory ---

*Deregistered* - klmd25

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2010-12-25 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-10 00:34]

2010-12-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-10 17:03]

2010-12-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-10 17:03]

2010-12-25 c:\windows\Tasks\User_Feed_Synchronization-{7A885ABA-6A54-4AF3-A134-3FA77EB90C2B}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://univ6.centra.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab

DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB

FF - ProfilePath - c:\documents and settings\Jim Prescott\Application Data\Mozilla\Firefox\Profiles\69cz299k.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Element Hiding Helper for Adblock Plus: elemhidehelper@adblockplus.org - %profile%\extensions\elemhidehelper@adblockplus.org

FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Norton Toolbar: {7BA52691-1876-45ce-9EE6-54BCB3B04BBC} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-25 18:22

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]

"ImagePath"="\"c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1020)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1416)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-12-25 18:27:50

ComboFix-quarantined-files.txt 2010-12-26 00:27

Pre-Run: 38,703,931,392 bytes free

Post-Run: 38,628,970,496 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - FC1A0566101061D150BC0C8711279213

gmer.log

[Seth]

Yes both explorer.dat and winlogon.dad are in malwarebytes quarantine listed as Herucustics.Reseverd.Word.Exploit

[kahdah]

Ok.

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

• Click on the update tab then click on Check for updates.
  
• If an update is found, it will download and install the latest version.
  
• Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
  
• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activex control to install
  
• Click Start
  
• Check next options: Remove found threats and Scan inside archives.
  
• Click Scan
  
• Wait for the scan to finish
  
• Click on the option that says Export to text file.
  
• Save it to your desktop and post the contents here in your next reply.
  
• Once the log is saved click the option to delete quarantined threats and Uninstall application on close.
  

[Seth]

Ok mbam said no infection so I ran eset it took several hours however I was not present when it completed and my father cleaned the 4 infected without saving a log. Was it saved somewhere? Should I have him rescan?

[kahdah]

Check for a log here C:\Program Files\Eset\Eset online scanner\log.txt

If it is not there then do not worry about it.

How is the system behaving are you still getting Norton alerts?

[Seth]

The computer seems to boot and the explorer appears. But slower, Maybe?

I rescanned with eset and here is the log

--- Eset.Txt ---

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP2\A0000264.dll a variant of Win32/Bamital.DV trojan cleaned by deleting - quarantined

I have since turned off system restore in the system properties and rebooted.

Not sure what the next step is.

Should i enable system restore? Does it slow down the compter? It always seems to get infected and doesnt help when something goes wrong.

-Seth

[kahdah]

Yes you should re-enable system restore.

It always gets infected because the system makes snapshots of what is on it so naturally if you have an infection then it will be recorded with everything else as well.

I see no further signs of infection.

How slow does explorer load now?

[Seth]

About 2 to 3 minutes after showing the desktop picture, it used to just pop up quick.

I will enable system restore, Should i just delete combo-fix from the desktop?

[kahdah]

Ok Go to Start >Run type in cmd then hit ok.

THen type in this chkdsk /r /f then hit enter.

Type in Y at the prompt and then restart the computer.

Let it run through this check and then let me know if it does any better after that.

Leave Combofix for now we will remove it in a bit.

[Seth]

Ok, things seemed stable until recently norton popped up saying Trojan.Bamital.B!inf inside C:/windows/temp.tmp

so i decided to remove it from quarantine and scan with Virustotal here is the link.

http://www.virustotal.com/file-scan/report...97b7-1294006894

Only norton and no other scans claim its Suspicious.Mystic

Is this a new virus? something had to make it appear as temp.tmp and when i right click and choose properties it shows the same information as explorer.exe by microsoft.

Here i ziped and attached the file.

Im slightly confused.

temp.zip

[kahdah]

Could be a newer variant but it is just a renamed copy of explorer that was not detected yet but by norton.

Actually simply deleting the file will remove that.

That was simply a leftover from before so it is nothing to worry about.

Other than that how are things running?

[Seth]

Things are running fine, Maybe still a little slow to boot but its a 6 year old computer.

Is there a way to remove the user name from the previous logs, i cant seem to edit previous posts?

Thanks for all your help.

[kahdah]

Yes I will have someone remove the logs.

Please visit this page and install the latest version of Adobe reader: http://get.adobe.com/reader/

=======Cleanup=======

• Click START then RUN
  
• Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.
  

===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  
• Scroll down to where it says "(JRE) then click on it
  
• Click the "Download" button to the right.
  
• Select your Platform: "Windows".
  
• Select your Language: "Multi-language".
  
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
  
• Click Continue and the page will refresh.
  
• Click on the link to download Windows Offline Installation and save the file to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u23-windows-i586.exe to install the newest version.
  

============

Delete\uninstall anything else that we have used that is leftover.

After that your all set.

===The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance===

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article Some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

How did I get infected in the first place? Also this one by Tony Klein.

If your computer is slow Things you can do if your computer is slow.

PC Safety and Security - What Do I Need? Security suggestions and general hints and tips for PC security.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent etc...

===Free antimalware tools used for on demand scanning and cleaning no real time unless purchased===

[screen317]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!